nis2
How to fix: Server-version disclosure (NIS2 information minimisation)
NIS2 Art. 21(2)(a)
Why this matters
Reducing infrastructure disclosure (Server, X-Powered-By) makes targeted attacks more expensive. NIS2 reasonable-care framing favours reducing easy reconnaissance.
Background
Server: header leaking server + version gives attackers a free CVE lookup. NIS2 expects organisations to minimise attack surface, including fingerprinting signals. Strip or generalise the Server header.
References
NIS2 Art. 21(2)(a) — minimise attack surface · OWASP A05
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
server_tokens off; (in http block). To go further, the headers-more module lets you replace Server: nginx entirely.
apache
ServerTokens Prod ServerSignature Off
cloudflare
Cloudflare always emits 'Server: cloudflare' — that's intentional + low-fingerprint. No action needed if you're behind CF.
wordpress
If your host exposes 'Server: Apache/2.4.41 (Ubuntu)', escalate to the host or proxy through Cloudflare.
flask
Gunicorn sets 'Server: gunicorn/...' — strip via reverse proxy (nginx or Cloudflare).
express
Same — strip via reverse proxy.
rails
Same.
Verify it's working
curl -sI https://your-site/ | grep -i ^server: — should be missing OR a generic value like 'cloudflare' / 'nginx'.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →