Remove "Server: Apache" from response headers

Question

I want to know how to remove the Server header completely that apache sends in the response.

Initially, it was showing full server info like Server: Apache (Ubuntu 14.04) in the response headers. But I read somewhere to add this in apache2.conf

ServerTokens ProductOnly

ServerSignature Off

It didn't remove the header but only changed it to Server: Apache

I even tried from PHP to remove that header with header_remove('Server');. But still no luck.

So, I want to remove that completely.

Thanks,

PS: if its possible to change the header value for eg: to Server: Microsoft-IIS/8.0 (fake value); then its okay too.

Answer 1

This is the best way I found:

sudo apt-get install libapache2-mod-security2

Then add this to /etc/apache2/apache.conf (you can use any name, here I've used space):

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Min
    SecServerSignature " "
</IfModule> 

and restart Apache:

sudo service apache2 restart

Now when you run something like:

curl -v http://localhost:80/ | head

you should get:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server  is not blacklisted
< Server:

For full details see here.

Answer 2

2020 Update:

To build on the answer by @Maxym on using the mod_security module - NOTE that you CANNOT remove the server header ENTIRELY ( that is only possible through source code editing/recompilation ) with this module, however you can rename the public server signature - say "NinjaServer" via this mod_security module !

To do that;

We have to ( in httpd.conf or equivalent ) keep/set;

ServerTokens Full

Then via mod_security2.conf;

SecServerSignature "NinjaServer"

Also, its better for the mod_security module to be loaded last to avoid notices in the apache error log.

For a OpenSuse 15.x / Apache 2.4.x Setup, the actual steps are;

 zypper -v in apache2-mod_security2 // install mod_security
 a2enmod security2                  // enable the module
 a2enmod unique_id                  // this was needed too...
 a2enmod -l                         // verify loaded

Next, edit httpd.conf.local (under /etc/apache2) and set;

 ServerTokens Full

Next, edit mod_security2.conf (under /etc/apache2) and set;

 SecRuleEngine DetectionOnly         // only remove apache server name
 SecServerSignature "NinjaServer"    // some name other than Apache

Also comment out ( this example is just for modifying Public Server Signature );

# Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf

 

Then restart apache via

systemctl restart apache2

And if you were to check your headers ( Browser's Dev Tools ) now, you will see the Server name appearing as NinjaServer :-)