HowTo: Hide your Web Server Version Number (apache, lighttpd, nginx) + PHP-Version

Generally all Webservers send HTTP Headers including their version number, modules, OS, etc. These informations are used by black hats to exploit any vulnerabilities in your machine, especially if you’re running an older version with known vulnerabilies.

That’s why you should hide this kind of information completely! I will show you in this post how to configure your Webserver to mask the server’s version number and the PHP-Version.

Apache 2:

In apache2.conf

ServerTokens Prod
ServerSignature Off (hides the signature at default or failure pages)

ServerToken Values: Full=full information; Prod=Apache;Major=Apache/2; Minor=Apache/2.x; Min=Apache/2.x.x; OS=+OS


In lighttpd.conf

I love lighttpd for this feature. It is possible to set any Information you want.

e.g: server.tag = Apache/2.2.17


Use the “ngx_headers_more” module

It allows you to configure any arbitrary headers you’d like – Use the following configuration:

more_set_headers 'Server: Server-Information';

Alternatively, if you don’t want a Server header at all, then clear it using:

more_clear_headers 'Server';


To hide your PHP-Version/X-Powered-By-Tag use

expose_php = Off

in your php.ini.


One thought on “HowTo: Hide your Web Server Version Number (apache, lighttpd, nginx) + PHP-Version

  1. You can definitely see your skills in the work you write.

    The world hopes for more passionate writers such as you who aren’t afraid to mention how they believe.
    Always go after your heart.

Leave a Reply

Your email address will not be published. Required fields are marked *