low Information Disclosure

Server Version Disclosure

The Server and X-Powered-By headers disclose the server software and version, helping attackers target known vulnerabilities.

Severity
low
Time to Fix
5 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is Server Version Disclosure?

Web servers often include a "Server" header (e.g., "nginx/1.24.0") and "X-Powered-By" header (e.g., "PHP/8.2.1") in responses. While not directly exploitable, this information helps attackers identify which vulnerabilities to try. Security through obscurity is not a primary defense, but reducing information disclosure makes automated attacks slightly harder.

Why It Matters to Your Business

Low direct impact, but version disclosure helps attackers target known vulnerabilities in your specific server/PHP version. Combined with other findings, it can make attacks more efficient.

How to Fix It

Hide server version information:

Nginx (nginx.conf):
  server_tokens off;

Apache (apache2.conf):
  ServerTokens Prod
  ServerSignature Off

PHP (php.ini):
  expose_php = Off

Express.js:
  app.disable('x-powered-by');

ASP.NET (web.config):
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-200: Exposure of Sensitive Information
Detected Byredirect_signature, headers scanner(s)
Severity Levellow

How 2MNY Security Can Help

Check if your website has this vulnerability

Our redirect_signature, headers scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities