Skip to main content

How to modify the Server header with ModSecurity

Alex Jankowiak
  • Updated

As an attempt to increase security, some users may find it helpful to be able to hide the "Server" identification header.

 

Please do keep in mind that there are other ways to determine if a server is running Apache, and the "Server" identification header does not leak your version information. Please ensure Apache is up-to-date by enabling automatic updates. If they have been disabled previously, you may need to utilize the command-line to enable updates.

 

How to customize cPanel's Update Preferences from the Command Line

 

Procedure

First, confirm that your server is showing the "Apache" value in the "Server" field.

 

$ curl -IL cptest.tld
HTTP/1.1 200 OK
Date: Thu, 27 Aug 2020 08:18:18 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=94ffde3155abbd25123eb978877ad8ca; path=/
X-Mod-Pagespeed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8

 

Then, to ensure your string is accepted, you must ensure Server Signatures are enabled.

 

This can be done from WHM > Service Configuration > Apache Configuration > Global Configuration.

 

Additionally, from this same interface, you should set the Server Tokens value to Minimal to ensure the string you set is accepted.

 

Next, utilize ModSecurity to change the value. Here, I am setting the value to just a single space. An empty string will NOT work.

 

# nano /etc/apache2/conf.d/modsec/modsec2.user.conf
...
SecServerSignature ' '

 

Then, rebuild the httpd configuration.

 

# /scripts/rebuildhttpdconf
Built /etc/apache2/conf/httpd.conf OK

 

After a successful rebuild, restart Apache.

 

# /scripts/restartsrv_httpd
Waiting for “httpd” to restart gracefully …[Thu Aug 27 07:00:42.425527 2020] [so:warn] [pid 27440] AH01574: module version_module is already loaded, skipping
waiting for “httpd” to initialize ………finished.

Service Status
 httpd (/usr/sbin/httpd -k start) is running as root with PID 9376 (systemd+/proc check method).

Log Messages
...

httpd restarted successfully

 

Finally, confirm it's working.

 

$ curl -IL cptest.tld
HTTP/1.1 200 OK
Date: Thu, 27 Aug 2020 08:23:45 GMT
Server:
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=69ca29c608842f5443e2fdf211eb44ae; path=/
X-Mod-Pagespeed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8

Related articles