ServerSignature is HTTP header information that is sent by a (the) web server. This information includes server version, operating system and the installed modules on the server, hackers might exploit this information for vulnerabilities. Here is how ServerSignature can be disabled:
How to see Whether Server Signature is on or off
If you access a page (URL) on your server that does not exist, you should get a “Not Found” page. If you get a message on the page similar to "Apache Server at yourdomain.com Port 80" it means that server signature is on, and you need to disable it. (See Picture Below)
Disable ServerSignature
Before starting, try to open a URL on the server that you know does not exist
1. Login to SSH as root
2. Find conf file. On an ubuntu server it should be located here: /etc/apache2/apache2.conf.
Run command: sudo vi /etc/apache2/apache2.conf
3. Add the following to the file:
ServerSignature Off
ServerTokens Prod
4. Now you need to restart apache: sudo service apache2 restart
This is all you need to do.
ConfirmServerSignature is turned off
Accessing a page that does not exist will not return "Apache Server at yourdomain.com Port 80". See before and after samples below
