How to Remove Sensitive Information from Apache Error Pages: Complete Security Guide

Sensitive information displayed in Apache error pages can provide hackers with valuable insights into your server configuration, potentially exposing security vulnerabilities.

By default, Apache reveals details such as server version, operating system, and module information in its error pages—essentially offering reconnaissance data to potential attackers on a silver platter.

Implementing proper security measures to conceal this information is a fundamental step in hardening your web server against common attack vectors.

Understanding the Security Risk

When Apache encounters an error, it typically displays a signature at the bottom of the error page that includes:

• Apache version number
• Operating system information
• Enabled modules
• Server hostname and port

This information might seem harmless, but for attackers, it provides critical intelligence that can be used to:

• Target known vulnerabilities specific to your Apache version
• Tailor attacks based on your operating system
• Exploit weaknesses in enabled modules
• Map your server infrastructure

Configuring Apache to Hide Sensitive Information

Securing your Apache server against information disclosure is surprisingly simple and requires modifying just one configuration file with two directives.

Editing the Apache Configuration File

First, open the main Apache configuration file using your preferred text editor:

sudo nano /etc/apache2/apache2.conf

Navigate to the bottom of the file and add these two important directives:

ServerTokens Prod
ServerSignature Off

Understanding the Configuration Directives

These two directives control how much information Apache reveals:

ServerTokens Prod: This directive restricts the server response header to show only "Apache" without version information, module details, or operating system information. The "Prod" option provides the minimal level of information disclosure.

ServerSignature Off: This directive completely disables the footer line that appears on server-generated pages like error documents, directory listings, and more.

Applying Your Configuration Changes

After making these changes, you'll need to restart Apache for them to take effect:

sudo systemctl restart apache2

Or on some systems:

sudo service apache2 restart

Verifying Your Security Settings

To confirm your changes have been applied correctly, you can:

1. Intentionally access a non-existent page to trigger a 404 error
2. Check the page source to ensure no server signature appears
3. Use tools like curl with the -I flag to check for limited headers:

curl -I http://your-server-address/

The output should show "Server: Apache" without version information.

Additional Apache Security Hardening Measures

While hiding sensitive information is important, consider these additional security measures:

• Install and configure a web application firewall (WAF)
• Implement proper file and directory permissions
• Enable HTTPS with strong SSL/TLS configurations
• Regularly update Apache and all installed modules
• Configure proper logging and monitor logs for suspicious activity

Conclusion

Removing sensitive information from Apache error pages is a quick and essential security practice that significantly reduces your server's vulnerability footprint. By implementing the ServerTokens and ServerSignature directives, you effectively limit the reconnaissance capabilities of potential attackers.

This small configuration change requires minimal effort but delivers substantial security benefits as part of your overall web server protection strategy. Remember that effective security always involves multiple layers of protection—hiding server information is just the beginning of a comprehensive security posture.