How to hide web server version from appearing in http header

For apache, just add below lines into /etc/apache2/apache2.conf:

ServerTokens Prod

ServerSignature Off

where ServerTokens controls what kind of information being sent to the header. Options available for ServerTokens are(from apache docs):

ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2



while ServerSignature is to allow configuration of a trailing footer line under server generated documents, such as error messages and mod_proxy ftp directory listings. Putting it to off will suppress the footer line.

Once added, restart or reload apache to activate the changes.

# /etc/init.d/apache2 restart

For nginx, add below line into your /etc/nginx/nginx.conf:

server_tokens off

where this line of config will hide your nginx version number. Do not forget to restart or reload nginx, for the change to take effect.

# /etc/init.t/nginx restart

To check for the header, you can use curl:

curl -I www.foo.net

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Apache/2.2.15 (Red Hat)

where -I is for curl to grab just the http header.