Hide Apache and PHP Version and Signatures in Ubuntu Linux

Apache Security

By default, your Apache web server (and PHP if it is installed) will indicate to clients the exact version of the Apache software which is running. This version information can be seen in the HTTP response header.

At times, such behaviour is undesirable as some administrators think that this will make their server more vulnerable to attacks since an attacker will immediately know what software versions are running and may then easily gather any available exploits. The simple fact is, even if your server software is masked, and attacker can try to determine the versions using other means, or they can just try to attack it using all the exploits they have.

Regardless of whatever your intention is, turning off these signatures will add an additional level of complexity (albeit minimal) to a potential attacker.

The tutorial below explains.

How to disable Apache signature

Open the relevant apache2.conf config file:

nano /etc/apache2/apache2.conf

At the end of the file, or at some other sensible location, add the following lines:

ServerTokens Prod
ServerSignature off

Restart your server for the new changes to take effect:

/etc/init.d/apache2 restart

How to disable PHP signature

Open the relevant php.ini config file:

nano /etc/php5/apache2/php.ini

Find the line that says:

expose_php = On

And change it to:

expose_php = Off

Finally restart your server again for the new changes to take effect:

/etc/init.d/apache2 restart

Now your server is a little bit more secure from attackers since it will only indicate that it is an Apache server with no clues as to the version number of the modules which are installed.

Note: Disabling the “Server: Apache” line in the HTTP response header altogether cannot be readily done using configurations (if at all), and will usually have to be done by recompiling the web server binaries. If you are running such a critical application that warrants such extreme measures, this task is left up to you. The bottom line is that if your software is kept up to date, it shouldn’t matter if an attacker knows what type of web server you are running.


Secure Apache from Clickjacking with X-FRAME-OPTIONS

Apache Security

Clickjacking is well known web application vulnerabilities. For example, it was used as an attack on Twitter. To defense Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. This will prevent site content embedded into other sites. Did you ever tried embedding Google.com in your website as frame? You can’t because it’s protected and you can protect your’s too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow page to be displayed in frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.

How to implement in Apache, IBM HTTP Server?

Add following line in Apache Web Server’s httpd.conf file

Header always append X-Frame-Options SAMEORIGIN

Restart Apache Web Server

Note: This implementation is applicable in IBM HTTP Server as well. You can add above Header parameter in httpd.conf of your IBM HTTP Server instance.

How to implement in shared web hosting?

If your website is hosted on shared web hosting then you won’t have permission to modify httpd.conf. However, you can implement this by adding following line in .htaccess file.


How to verify the implementation?

You can use any web developer tool to view Response headers and ensure you see following. You can also use online tool – Header Checker to verify.

X Frame Options

Originally posted on http://chandank.com/webservers/apache/secure-apache-from-clickjacking-with-x-frame-options

Secure cookie with HttpOnly and Secure flag in Apache

Apache Security

Do you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? XSS is dangerous, very dangerous. By looking at increasing number of XSS attack on daily basis, you must secure you web applications.

Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies. It’s good practice to set HttpOnly and Secure flag in application code by developers. However, due to bad programming or developers’ unawareness it comes to Web Infrastructures.

I will not talk about how to set these at code level. You can refer here.

While performing security test on web applications, it’s expected that you will have to fix these to pass the penetration test. This is how you can fix these in Apache Web Server.

Implement in Apache:

1.     Ensure you have mod_headers.so enabled in Apache instance

2.     Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

3.     Restart Apache Web Server

Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure


Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.

Check HTTP response header, you should see as highlighted

Cookie Httponly Secure


Originally posted by : http://chandank.com/webservers/apache/httponly-secure-cookie-apache