Skip to content

Turn Off Server Signatures on Apache

Hi there 👋

First of all as recent user of FreedomBox, thank you for the great work!

I wanted to raise a ticket as I've noticed that server signatures are exposed on Apache, a clear example is an error page attached. Revealing web server signature with server/PHP version info can be a security risk as you are essentially telling attackers known vulnerabilities of your system. It is recommended to disable all web server signatures as part of server hardening process.

Screenshot_2019-10-29_at_14.33.58

Any chance we can turn server signatures off in /etc/apache2/apache2.conf would be good if we can modify the file to match this:

ServerSignature Off
ServerTokens Prod

Maybe also for PHP? expose_php = Off on php.ini?

Happy to update it myself but I couldn't find the file that sets config on Apache or PHP.

Thank you!