Low severity

Server Information Leakage

Your server is shouting its exact version number to the world (e.g., "nginx/1.18.0").

Business risk

Automated scanners look for outdated versions. "Oh, nginx/1.18.0? That has CVE-2021-23017." It paints a target on your back. It doesn't cause the hack, but it invites it.

Technical details

Obscurity is not security, but there is no benefit to broadcasting your software stack. In Nginx, `server_tokens off` removes the version. In Next.js, disabling `poweredByHeader` removes the "X-Powered-By: Next.js" header.

How to detect it

Look for any response header that names the software stack: `Server`, `X-Powered-By`, `X-AspNet-Version`, `X-Generator`, `Via`. Also check HTML meta generator tags and default error pages, which often show framework branding.

Dump all headers

curl -sI https://yourdomain.com

Look for framework fingerprints

curl -sI https://yourdomain.com | grep -iE "^(server|x-powered-by|x-aspnet|x-generator|via):"

Check default error pages

curl -s https://yourdomain.com/does-not-exist-xyz | grep -iE "nginx|apache|express|php|tomcat"

Common pitfalls

Removing `Server` at the app layer but leaving it on the reverse proxy. Nginx/Apache in front of the app usually re-adds it. Strip at the outermost layer.
Forgetting HTML `<meta name="generator">` tags. WordPress, Drupal, and static-site generators inject these by default.
Leaving stack traces and debug pages in production. A PHP warning or Rails error page reveals more than any header.
Treating hiding versions as a real control. It raises the cost of automated scans slightly, but skilled attackers fingerprint stacks from behavior regardless. Patch aggressively - hiding is a complement, not a substitute.
Exposing stack info through `robots.txt`, `.well-known/` paths, or sitemap generator comments.

Remediation guide

server_tokens off;
proxy_pass_header Server;

nginx

External references

OWASP Info Leakage

Frequently asked questions

Isn't this "security by obscurity"?

Partly. Hiding versions does not stop a targeted attacker but it does filter out the noise from automated scanners probing for specific CVEs. The real control is patching; hiding versions is a small complement that costs nothing.

What about X-Powered-By?

Always remove it. It never provides value and advertises your framework. Next.js: `poweredByHeader: false`. Express: `app.disable('x-powered-by')`. PHP: `expose_php = Off` in php.ini.

Do I need to change `Server` or just remove the version?

Removing the version is enough for compliance scanners. Some teams replace `Server` with a generic label for brand consistency; most just turn off version disclosure and move on.

Keep going

Related guide

Exposed `.git` Directory

Critical severity · Exposure

Related guide

Exposed `.env` File

Critical severity · Exposure

Related guide

Missing X-Content-Type-Options

Medium severity · Content

Free tool

security.txt Checker

Make it obvious how to report vulnerabilities - the RFC 9116 way.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

How to detect it

Dump all headers

curl -sI https://yourdomain.com

Look for framework fingerprints

curl -sI https://yourdomain.com | grep -iE "^(server|x-powered-by|x-aspnet|x-generator|via):"

Check default error pages

curl -s https://yourdomain.com/does-not-exist-xyz | grep -iE "nginx|apache|express|php|tomcat"

Common pitfalls

Removing `Server` at the app layer but leaving it on the reverse proxy. Nginx/Apache in front of the app usually re-adds it. Strip at the outermost layer.

Forgetting HTML `<meta name="generator">` tags. WordPress, Drupal, and static-site generators inject these by default.

Leaving stack traces and debug pages in production. A PHP warning or Rails error page reveals more than any header.

Treating hiding versions as a real control. It raises the cost of automated scans slightly, but skilled attackers fingerprint stacks from behavior regardless. Patch aggressively - hiding is a complement, not a substitute.

Exposing stack info through `robots.txt`, `.well-known/` paths, or sitemap generator comments.

Frequently asked questions

Isn't this "security by obscurity"?

What about X-Powered-By?

Always remove it. It never provides value and advertises your framework. Next.js: `poweredByHeader: false`. Express: `app.disable('x-powered-by')`. PHP: `expose_php = Off` in php.ini.

Do I need to change `Server` or just remove the version?

Removing the version is enough for compliance scanners. Some teams replace `Server` with a generic label for brand consistency; most just turn off version disclosure and move on.