apache headers information disclosure litespeed nginx openlitespeed php security server hardening

Hide Apache, Nginx, LiteSpeed, and PHP Version Numbers¶

Hide Server Software Version Numbers

When a browser requests a page, your server replies with HTTP headers. By default, many stacks expose software versions in headers like Server: and X-Powered-By:.

That is information leakage. It does not “hack you” by itself, but it does help attackers choose the most efficient exploit path. Clean headers reduce your public fingerprint and tighten your baseline.

GOZEN HOST note

On Managed environments, this baseline hardening is typically handled for you. If you want us to own the security posture end-to-end, see: GOZEN HOST Hosting Plans

What you will achieve
- Hide web server version numbers (Apache, Nginx, LiteSpeed/OpenLiteSpeed)
- Remove PHP’s X-Powered-By header
- Verify results with curl
Estimated time

5 to 15 minutes, plus a safe restart window.
Access needed
- Root or sudo (VPS/Dedicated)
- Shared hosting may be limited

Tell it like it is

Hiding versions is signal hygiene, not a shield.
Real security still depends on patching, WAF rules, least privilege, and monitoring.

Before you start¶

Recommended safety steps

Take note of what you change (or snapshot/backup your config).
Always run a config test before restarting a web server.
If you are unsure, stop and ask Support instead of experimenting on production.

Need SSH first? Use: How to Connect to Your Server via SSH

Step 1: Hide the web server version¶

Choose your stack:

ApacheNginxLiteSpeed / OpenLiteSpeed

Apache exposes version details via ServerTokens (headers) and ServerSignature (auto-generated error pages).

1) Edit the security config

Debian/UbuntuRHEL/CentOS/Alma/Rocky

/etc/apache2/conf-enabled/security.conf

ServerTokens Prod
ServerSignature Off

/etc/httpd/conf/httpd.conf

ServerTokens Prod
ServerSignature Off

2) Test config

Validate Apache config

sudo apachectl configtest || sudo httpd -t

3) Restart Apache

Debian/UbuntuRHEL-based

sudo systemctl restart apache2

sudo systemctl restart httpd

Rollback

Revert to your previous values (or remove the directives) and restart Apache again.

Nginx uses server_tokens to remove version numbers from headers and error pages.

1) Edit Nginx main config

/etc/nginx/nginx.conf

http {
    server_tokens off;
    # ...
}

2) Test and restart

sudo nginx -t
sudo systemctl restart nginx

LiteSpeed/OpenLiteSpeed can hide its full signature from the admin UI. Shared hosting may restrict header manipulation.

Option A: WebAdmin Console (recommended) 1. Log in to WebAdmin. 2. Go to Server Configuration → General. 3. Set Server Signature to Hide Full Header (or equivalent). 4. Perform a Graceful Restart.

Option B: .htaccess (sometimes allowed, sometimes blocked)

.htaccess (only if mod_headers is available)

Header unset Server

Shared hosting reality check

On shared hosting, the server layer is centrally managed for stability and security.
If you cannot change the Server header, open a ticket and tell us what you’re trying to achieve.

Step 2: Hide the PHP version¶

PHP commonly exposes itself with: X-Powered-By: PHP/8.x.x.
The primary control is expose_php.

CLI PHP vs PHP-FPM PHP

php --ini shows the CLI configuration.
If your site runs on PHP-FPM, you must edit the FPM php.ini (often a different path).

2.1 Locate the correct php.ini¶

Debian/Ubuntu (PHP-FPM typical)RHEL-based (common)Quick CLI check (still useful)

ls -la /etc/php/*/fpm/php.ini

ls -la /etc/php.ini

php --ini | grep "Loaded Configuration File"

2.2 Disable expose_php¶

Edit the relevant php.ini and set:

php.ini

expose_php = Off

2.3 Restart the right service¶

Apache (mod_php style)Nginx or LiteSpeed with PHP-FPM

sudo systemctl restart apache2 || sudo systemctl restart httpd

Identify the PHP-FPM service name:

systemctl list-units --type=service | grep -E "php.*fpm"

Restart the correct version, examples:

sudo systemctl restart php8.2-fpm
# or
sudo systemctl restart php8.1-fpm

Optional: Strip headers at the web server layer

If an upstream app still injects X-Powered-By, you can also strip it at the web server layer:

Nginx (inside the PHP location block):
```
fastcgi_hide_header X-Powered-By;
```
Apache (requires headers module):
```
Header unset X-Powered-By
```

Step 3: Verify the results¶

3.1 Check headers with curl¶

Show only Server + X-Powered-By headers

curl -sI https://yourdomain.com | grep -Ei '^(server|x-powered-by):'

Expected result

Server: shows no version (example: Server: nginx or Server: Apache)
X-Powered-By: is not present

3.2 Check error pages too¶

Version strings often leak via default error pages:

Request a non-existent URL

curl -sI https://yourdomain.com/this-page-should-not-exist

Troubleshooting¶

I still see a version number

Common causes: - You edited the wrong config file (especially PHP-FPM vs CLI). - You did not restart the right service. - You are behind a proxy/CDN and you are seeing their headers. - Another layer adds headers (panel, reverse proxy, app framework).

My site went down after changes

Roll back the last change.
Re-run config tests: - Apache: apachectl configtest or httpd -t - Nginx: nginx -t
Restart again only after tests are clean.

If your server is not responding at all, follow: Server Not Accessible

GOZEN HOST: want this handled for you?¶

Security is a system, not a toggle. If you want an engineered baseline with ongoing operations discipline, consider Managed-style hosting.

Compare Hosting Plans Open a Support Ticket

Summary¶

Hiding versions reduces information disclosure and improves your public security posture.
Apache: use ServerTokens Prod + ServerSignature Off.
Nginx: use server_tokens off;.
LiteSpeed/OpenLiteSpeed: hide full header in WebAdmin (shared hosting may be restricted).
PHP: set expose_php = Off and restart the correct service.
Always verify with curl and test error pages.