security
How to fix: Server header information disclosure
OWASP A05
Why this matters
A Server header that announces 'nginx/1.18.0' tells attackers exactly which version-specific CVEs to try first. Generic server names — or no header at all — force them to do more work.
Background
Headers like 'Server: Apache/2.4.41 (Ubuntu)' tell attackers exactly which version's CVEs to try. Strip or genericise the Server header; remove X-Powered-By entirely. Information leak is low-severity by itself but it's a free win that signals operational maturity to auditors.
References
OWASP A05 · principle of least information disclosure
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
server_tokens off; # in http {} block — strips version. To remove entirely, use the headers-more module: more_clear_headers Server;
apache
ServerTokens Prod ServerSignature Off
cloudflare
Cloudflare strips most upstream Server detail at the edge automatically.
wordpress
header_remove('X-Powered-By') in wp-config.php; OR set expose_php=off in php.ini.
flask
@app.after_request: del resp.headers['Server'] # served by gunicorn/uwsgi by default
express
app.disable('x-powered-by')
rails
Rack middleware to strip Server / X-Powered-By; many platforms (Heroku) leave one behind regardless.
Verify it's working
curl -sI https://your-site/ | grep -i 'server:\|x-powered-by:' # ideally absent or generic.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →