How to remove HTTP Server "Apache"?

Question

For security reason, i need remove(yes!, really I need remove, delete or hide) Apache signature.

I use ServerSignature n' ServerTokens directives, but only hide the version...

ServerSignature Off
ServerTokens Prod

The results is:

Name                :Value
Date                :Mon, 15 Jun 2015 11:47:28 GMT
Content-Encoding    :gzip
Last-Modified       :Sun, 14 Jun 2015 00:01:37 GMT
Server              :Apache
ETag                :"6176c-28f4-5186f0b8c3bb0"
Vary                :Accept-Encoding,User-Agent
Content-Type        :text/xml; charset=utf-8
Cache-Control       :max-age=1
Accept-Ranges       :bytes
Content-Length      :1531
Expires             :Mon, 15 Jun 2015 11:47:29 GMT

Look this

Server              Apache

I need(without http header "Server:Apache"):

Name                Value
Date                Mon, 15 Jun 2015 11:47:28 GMT
Content-Encoding    gzip
Last-Modified       Sun, 14 Jun 2015 00:01:37 GMT
ETag                "6176c-28f4-5186f0b8c3bb0"
Vary                Accept-Encoding,User-Agent
Content-Type        text/xml; charset=utf-8
Cache-Control       max-age=1
Accept-Ranges       bytes
Content-Length      1531
Expires             Mon, 15 Jun 2015 11:47:29 GMT

Thanks!

I am very sorry Apache team, but this time can't show your signature.

possible duplicate of [Remove Server: Apache from response headers](http://stackoverflow.com/questions/25804911/remove-server-apache-from-response-headers) — Jeroen, Jun 15 '15 at 12:03
This issue was resolved on: https://stackoverflow.com/questions/20803348/how-to-remove-apache-information-completely-from-response-headers/54634628#54634628 — Washington Souza, Sep 02 '20 at 15:19
Please check the link below: https://stackoverflow.com/questions/20803348/how-to-remove-apache-information-completely-from-response-headers/54634628#54634628 — Washington Souza, Sep 02 '20 at 15:23

score 0 · Answer 1 · answered Jun 18 '15 at 16:22

0

The core distribution doesn't allow it to be removed. It's trivial to do in a plugin. mod_security allows you to configure it to be stripped.

answered Jun 18 '15 at 16:22

covener

17,402
2
31
45

score 0 · Answer 2 · edited Mar 17 '17 at 10:45

This should be a comment, but it's a bit long....

For security reason, i need remove...Apache signature - even from the data other than the Server header it is blatantly obvious that this is an Apache server (or something doing a very good impression of one).

As per discussion on security.stackexchange I do not believe that there is any security benefit in removing banners from your software. In addition to the information in your headers I could also determine this from the default error messages, how the server handles content negotiation, conditional requests, .... every time I look at a related issue, the list gets longer.

I've yet to see any evidence that disabling banners had any impact on a sites security (as opposed to allowing an auditor to tick a box in a checklist). But if anyone can provide a reference I would be very interested to hear.

How to remove HTTP Server "Apache"?

2 Answers2