Security findings say that my site shows Apache Ver. Where can I make this change?

Website, Application, Performance Security
1

What is the name of the domain?

What is the error number?

Apache/2.4.52 (Ubuntu) Server at woodsideseniorcommunities.org Port 443

What is the error message?

Apache/2.4.52 (Ubuntu) Server at woodsideseniorcommunities.org Port 443

What is the issue you’re encountering

We would like to modify site so that Apache version is not displayed

What steps have you taken to resolve the issue?

Looked thru Cloudflare settings

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

If you go to forbidden dir then apache version is shown.

Screenshot of the error

Screenshot 2025-04-29 082706.png
Screenshot 2025-04-29 082706.png548×144 3.24 KB

2

You would have to configure that in your Apache settings as that’s where it is returned from in the body of the response.

For headers…

Cloudflare can remove the X-Powered-By header with a managed transform…

Or you can use transform rules to remove other headers.

3

Thank you. That is excellent information. I enabled the Remove Powered by setting but still seems to show the version on the page. Does it take time to take effect? It’s probably been 30 min

4

As I said, you need to change a setting in the Apache configuration to move that, Cloudflare Rules cannot do that for you.

5

You can add this to your Apache configuration to remove that:

ServerTokens Prod
ServerSignature Off

Showing this information is not a security problem and there is no reason to worry about it, but the above will disable it.

1 Like