How to Remove Sensitive Information from Apache Error Pages: Complete Security Guide
Learn how to secure your Apache server by removing sensitive information from error pages. This simple configuration guide helps prevent potential attackers from discovering vulnerabilities in your server setup.
Sensitive information displayed in Apache error pages can provide hackers with valuable insights into your server configuration, potentially exposing security vulnerabilities.
By default, Apache reveals details such as server version, operating system, and module information in its error pages—essentially offering reconnaissance data to potential attackers on a silver platter.
Implementing proper security measures to conceal this information is a fundamental step in hardening your web server against common attack vectors.
Understanding the Security Risk
When Apache encounters an error, it typically displays a signature at the bottom of the error page that includes:
- Apache version number
- Operating system information
- Enabled modules
- Server hostname and port
This information might seem harmless, but for attackers, it provides critical intelligence that can be used to:
- Target known vulnerabilities specific to your Apache version
- Tailor attacks based on your operating system
- Exploit weaknesses in enabled modules
- Map your server infrastructure
Configuring Apache to Hide Sensitive Information
Securing your Apache server against information disclosure is surprisingly simple and requires modifying just one configuration file with two directives.
Editing the Apache Configuration File
First, open the main Apache configuration file using your preferred text editor:
sudo nano /etc/apache2/apache2.conf
Navigate to the bottom of the file and add these two important directives:
ServerTokens Prod
ServerSignature Off
Understanding the Configuration Directives
These two directives control how much information Apache reveals:
ServerTokens Prod: This directive restricts the server response header to show only "Apache" without version information, module details, or operating system information. The "Prod" option provides the minimal level of information disclosure.
ServerSignature Off: This directive completely disables the footer line that appears on server-generated pages like error documents, directory listings, and more.
Applying Your Configuration Changes
After making these changes, you'll need to restart Apache for them to take effect:
sudo systemctl restart apache2
Or on some systems:
sudo service apache2 restart
Verifying Your Security Settings
To confirm your changes have been applied correctly, you can:
- Intentionally access a non-existent page to trigger a 404 error
- Check the page source to ensure no server signature appears
- Use tools like
curl
with the-I
flag to check for limited headers:
curl -I http://your-server-address/
The output should show "Server: Apache" without version information.
Additional Apache Security Hardening Measures
While hiding sensitive information is important, consider these additional security measures:
- Install and configure a web application firewall (WAF)
- Implement proper file and directory permissions
- Enable HTTPS with strong SSL/TLS configurations
- Regularly update Apache and all installed modules
- Configure proper logging and monitor logs for suspicious activity
Conclusion
Removing sensitive information from Apache error pages is a quick and essential security practice that significantly reduces your server's vulnerability footprint. By implementing the ServerTokens
and ServerSignature
directives, you effectively limit the reconnaissance capabilities of potential attackers.
This small configuration change requires minimal effort but delivers substantial security benefits as part of your overall web server protection strategy. Remember that effective security always involves multiple layers of protection—hiding server information is just the beginning of a comprehensive security posture.