Turn off your server tokens!

A common mistake a lot of people make when installing their servers is forgetting to turn off their server tokens. When you visit a page through your browser, headers are sent containing these server tokens. The webserver or application serves these headers.

This would mean that anyone that is visiting your website can see the version number of your web or application server.

The reason this is bad is that it gives a potential attacker more information than you would like to give them. Attackers that know that your server is a particular version can exploit your server by looking for known exploits. The same goes for the version of your PHP-FPM (application server).

To check if your website is vulnerable visit https://gf.dev/server-signature-test or any other check service to see if you are vulnerable.

If you are, here are the ways you can solve it.

How to turn off your server tokens


There is a setting in Nginx called server_tokens. This is on by default, you can turn it off by adding the following line to your nginx.conf:

server_tokens off;

If you need more information about this directive, check out the documentation on nginx.org.


In the php.ini file on your server find and change the following line:

expose_php = Off;

Change this and restart your PHP-FPM. You can find more information about this directive on php.net.


Find your main apache2.conf (on Ubuntu) or httpd.conf (CentOS/RHEL/Fedora) and add the following lines:

ServerSignature Off
ServerTokens Prod

Afterwards restart Apache2. Want to know more about these directives? Visit apache.org.

As you can see, you can really easily turn off your server tokens and you really should if you are running your server in production!


Leave a Reply

Your email address will not be published. Required fields are marked *