We propose and experimentally demonstrate a scheme to render the detection apparatus of a quantum key distribution system immune to the main classes of hacking attacks in which the eavesdropper explores the back-door opened by the single-photon detectors. The countermeasure is based on the creation of modes that are not deterministically accessible to the eavesdropper. We experimentally show that the use of beamsplitters and extra single-photon detectors at the receiver station passively creates randomized spatial modes that erase any knowledge the eavesdropper might have gained when using bright-light faked states. Additionally, we experimentally show a detector-scrambling approach where the random selection of the detector used for each measurement-equivalent to an active spatial mode randomization-hashes out the side-channel open by the detection efficiency mismatch-based attacks. The proposed combined countermeasure represents a practical and readily implementable solution against the main classes of quantum hacking attacks aimed on the single-photon detector so far, without intervening on the inner working of the devices.