HomeFix guides → Server-version disclosure (NIS2 information minimisation)

nis2

How to fix: Server-version disclosure (NIS2 information minimisation)

NIS2 Art. 21(2)(a)

Why this matters

Reducing infrastructure disclosure (Server, X-Powered-By) makes targeted attacks more expensive. NIS2 reasonable-care framing favours reducing easy reconnaissance.

Background

Server: header leaking server + version gives attackers a free CVE lookup. NIS2 expects organisations to minimise attack surface, including fingerprinting signals. Strip or generalise the Server header.

References

NIS2 Art. 21(2)(a) — minimise attack surface · OWASP A05

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
server_tokens off; (in http block). To go further, the headers-more module lets you replace Server: nginx entirely.
apache
ServerTokens Prod
ServerSignature Off
cloudflare
Cloudflare always emits 'Server: cloudflare' — that's intentional + low-fingerprint. No action needed if you're behind CF.
wordpress
If your host exposes 'Server: Apache/2.4.41 (Ubuntu)', escalate to the host or proxy through Cloudflare.
flask
Gunicorn sets 'Server: gunicorn/...' — strip via reverse proxy (nginx or Cloudflare).
express
Same — strip via reverse proxy.
rails
Same.

Verify it's working

curl -sI https://your-site/ | grep -i ^server: — should be missing OR a generic value like 'cloudflare' / 'nginx'.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →