By default, your Apache web server (and PHP if it is installed) will indicate to clients the exact version of the Apache software which is running. This version information can be seen in the HTTP response header.
At times, such behaviour is undesirable as some administrators think that this will make their server more vulnerable to attacks since an attacker will immediately know what software versions are running and may then easily gather any available exploits. The simple fact is, even if your server software is masked, and attacker can try to determine the versions using other means, or they can just try to attack it using all the exploits they have.
Regardless of whatever your intention is, turning off these signatures will add an additional level of complexity (albeit minimal) to a potential attacker.
The tutorial below explains.
How to disable Apache signature
Open the relevant apache2.conf config file:
At the end of the file, or at some other sensible location, add the following lines:
ServerTokens Prod ServerSignature off
Restart your server for the new changes to take effect:
How to disable PHP signature
Open the relevant php.ini config file:
Find the line that says:
expose_php = On
And change it to:
expose_php = Off
Finally restart your server again for the new changes to take effect:
Now your server is a little bit more secure from attackers since it will only indicate that it is an Apache server with no clues as to the version number of the modules which are installed.
Note: Disabling the “Server: Apache” line in the HTTP response header altogether cannot be readily done using configurations (if at all), and will usually have to be done by recompiling the web server binaries. If you are running such a critical application that warrants such extreme measures, this task is left up to you. The bottom line is that if your software is kept up to date, it shouldn’t matter if an attacker knows what type of web server you are running.