Apache Security

It is very important to keep your server secure.

Hidden Files
Hiding PHP version
Hiding Apache version

IMPORTANT

It is important to note that apache WILL server hidden content (hidden files defined by '.' eg .hidden).
The httpd.conf or apache2.conf file comes with an entry preventing .htaccess and .htpasswd files being served:

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Will will need to add an entry preventing other/all hidden files being served. Add the following content directly under the above content in the httpd.conf (apache2.conf file)

<LocationMatch ^(.*/)\..*>
  Order Allow,Deny
  Deny from All
  Satisfy All
</LocationMatch>

>> Go to this page.

Hiding apache version

If you run a curl on your website similar to the curl below, does it return apache versions?
This is NOT secure. We will now make a simple change to the httpd.conf or apache2.conf file to hide this

Example curl:

curl -LIsX GET lukeslinux.co.uk | grep -i apache

Value	Description
ServerTokens Prod	This will configure apache not to send any version numbers in the HTTP header
Server Signature Off	This will make sure apache does not display version number in footer of server generated pages

To hide the php value, turn the following value Off

ServerSignature On;

You will also need to change the following value:

ServerTokens Prod

Restart apache and you are done. Test again by rerunning the curl command.

Apache Security

IMPORTANT

Hiding php version

Example curl:

Hiding apache version

Example curl: