HomeFix guides → Server header information disclosure

security

How to fix: Server header information disclosure

OWASP A05

Why this matters

A Server header that announces 'nginx/1.18.0' tells attackers exactly which version-specific CVEs to try first. Generic server names — or no header at all — force them to do more work.

Background

Headers like 'Server: Apache/2.4.41 (Ubuntu)' tell attackers exactly which version's CVEs to try. Strip or genericise the Server header; remove X-Powered-By entirely. Information leak is low-severity by itself but it's a free win that signals operational maturity to auditors.

References

OWASP A05 · principle of least information disclosure

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
server_tokens off;  # in http {} block — strips version. To remove entirely, use the headers-more module: more_clear_headers Server;
apache
ServerTokens Prod
ServerSignature Off
cloudflare
Cloudflare strips most upstream Server detail at the edge automatically.
wordpress
header_remove('X-Powered-By') in wp-config.php; OR set expose_php=off in php.ini.
flask
@app.after_request: del resp.headers['Server']  # served by gunicorn/uwsgi by default
express
app.disable('x-powered-by')
rails
Rack middleware to strip Server / X-Powered-By; many platforms (Heroku) leave one behind regardless.

Verify it's working

curl -sI https://your-site/ | grep -i 'server:\|x-powered-by:' # ideally absent or generic.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →