Server Version Disclosure
The Server and X-Powered-By headers disclose the server software and version, helping attackers target known vulnerabilities.
What is Server Version Disclosure?
Web servers often include a "Server" header (e.g., "nginx/1.24.0") and "X-Powered-By" header (e.g., "PHP/8.2.1") in responses. While not directly exploitable, this information helps attackers identify which vulnerabilities to try. Security through obscurity is not a primary defense, but reducing information disclosure makes automated attacks slightly harder.
Why It Matters to Your Business
Low direct impact, but version disclosure helps attackers target known vulnerabilities in your specific server/PHP version. Combined with other findings, it can make attacks more efficient.
How to Fix It
Hide server version information:
Nginx (nginx.conf):
server_tokens off;
Apache (apache2.conf):
ServerTokens Prod
ServerSignature Off
PHP (php.ini):
expose_php = Off
Express.js:
app.disable('x-powered-by');
ASP.NET (web.config):
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-200: Exposure of Sensitive Information |
| Detected By | redirect_signature, headers scanner(s) |
| Severity Level | low |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our redirect_signature, headers scanner checks for this issue automatically.
Scan My Website Free