Change Apache httpd "Server:" HTTP header

mod_security is great, but you don't really need it to achieve your goal.

after all mods have been included in httpd.conf you can simply unset the headers of your choosing.

Header unset Server

ServerSignature Off
ServerTokens Prod

http://httpd.apache.org/docs/2.4/mod/core.html#serversignature


Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do

grep -Ri servertokens /etc/apache2

This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.

I simply changed the directives in security.conf and Apache started working as I wanted.

ServerTokens Prod
ServerSignature Off

On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.

I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.


The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.

With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."