Server Information Leakage

Your server is shouting its exact version number to the world (e.g., "nginx/1.18.0").

Business Risk

Automated scanners look for outdated versions. "Oh, nginx/1.18.0? That has CVE-2021-23017." It paints a target on your back. It doesn't cause the hack, but it invites it.

Technical Details

Obscurity is not security, but there is no benefit to broadcasting your software stack. In Nginx, `server_tokens off` removes the version. In Next.js, disabling `poweredByHeader` removes the "X-Powered-By: Next.js" header.

Remediation Guide

server_tokens off;
proxy_pass_header Server;

nginx

External References

↗ OWASP Info Leakage

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.