Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disable Server Signature - Shared cPanel

Hi i want to know, how to turn off cPanel apache server signature on shared hosting. if anyone know please reply to this post.

Helper III

Hi @Yashi!


Which server signature are you referring to?  It sounds like you're talking about the one that shows up on pages generated by the web server.  If that's what you mean, you might be able to add this line to your .htaccess file:

ServerSignature Off

If that's not what you meant, could you include a few more details?

when i request a page and inspect the headers i always see 'apache' version, i want to remove this,  i did try what you are suggesting and also 'RequestHeader unset Server' but it didn't work as expected.

I would try simply:

Header unset Server

Aside from that, I don't know of any way to remove them entirely.

I have try this also, it's not working.


I'd like to know too how, it flags me in SiteLock as potential risk in security

Helper V

@Yashi You can use .htaccess to remove the Server signature (Shown on the footer of error pages) However the Server Tokens (Sent as part of the server header and not shown on the website, only the Headers and easily viewed) can only be disabled in Apache's httpd.conf file and is a server wide, IE Affects all sites. For shared hosting you will be unable to disable Server Tokens


You will be unable to disable the Server Tokens for your account.

You would need a VPS/Cloud/Dedicated server if you wanted to disable the Tokens

Basically add the following to Apaches config file (Redhat based /etc/httpd/conf/httpd.conf or Debian based /etc/apache2/apache2.conf) Note Signature is for the error pages and Token is for the HTTP Header that's is sent with every request but not displayed unless you look for it.


ServerSignature Off
ServerTokens Prod

 Once added restart apache 

Remember this can only be done if you have root/sudo access to the server.

Just wondering, should server signature on shared hosting disabled by default since its a security concern?