The Apache server banner reveals details such as the server version and operating system in HTTP headers and error pages. This information can be leveraged by malicious users to launch targeted attacks. Disabling the banner helps to harden your server and reduce its exposure.
Open your Apache configuration file
Depending on your system, edit one of the following:
/etc/apache2/apache2.conf(Debian/Ubuntu)/etc/httpd/conf/httpd.conf(RHEL/CentOS)
Add or update the following directives:
ServerSignature Off
ServerTokens Prod<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set x-frame-options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 150For Debian/Ubuntu
sudo systemctl restart apache2
For RHEL/CentOS
sudo systemctl restart httpd
| ServerSignature | Hides version info from Apache-generated error pages. |
| ServerTokens | Limits the Server HTTP response header to just “Apache”. |
| Header set Strict-Transport-Security “max-age=31536000; includeSubDomains” | – Forces HTTPS for all future requests for 1 year (max-age=31536000 seconds).– includeSubDomains applies the rule to all subdomains as well.– Helps prevent SSL stripping attacks. |
| Header set x-frame-options “SAMEORIGIN” | – Prevents the site from being embedded in an <iframe> on another domain.– Protects against clickjacking attacks. |
| Header set X-XSS-Protection “1; mode=block” | – Enables Cross-site scripting (XSS) protection in older browsers. – mode=block prevents rendering the page if an XSS attack is detected. |
| Header set X-Content-Type-Options “nosniff” | – Stops browsers from MIME-type sniffing, forcing them to use the declared Content-Type– Prevents certain drive-by download attacks. |
| Header set Referrer-Policy “no-referrer-when-downgrade” | – Controls how much referrer information is sent. – In this case, sends the Referer header only when navigating from HTTPS to HTTPS.– Protects user privacy when navigating to less secure sites. |
| KeepAlive On | – Enables persistent connections between the client and server. Allows multiple HTTP requests to be sent over the same TCP connection, instead of opening a new connection for each file (HTML, CSS, JS, images, etc.). – Result: Faster page loading and reduced server load from connection overhead. |
| KeepAliveTimeout 5 | – Defines the number of seconds Apache will wait for the next request on a persistent connection. – If the client doesn’t send another request within 5 seconds, the connection is closed. – Value 5 is a good balance: avoids holding connections too long while still giving time for subsequent requests. |
| MaxKeepAliveRequests 150 | – Sets the maximum number of requests that can be sent over a single KeepAlive connection. – After 150 requests, the connection will be closed. – Purpose: Prevents a single client from monopolizing the connection for too long. |