Server Version Disclosure

Description

The Server header describes the server application that handled the request. Detailed information in this header can expose the server to attackers. Using the information in this header, attackers can find vulnerabilities easier, potentially leading to targeted attacks and unauthorized access.

Download Free SmartScanner

Recommendation

To mitigate this issue configure the web server to stop sending detailed information in the Server header.

Fix Server Version Disclosure in Apache

1. Open the Apache configuration file (httpd.conf or apache2.conf) and add the following lines:

   ServerTokens Prod
   ServerSignature Off
   

2. Restart the web server.

Fix Server Version Disclosure in Nginx

1. Open the Nginx configuration file (nginx.conf) and add the following line to either http, server, or location sections:

   server_tokens off;
   

2. Restart the web server.

Fix Server Version Disclosure in Tomcat

1. Open the server.xml file.

2. Find the Host section and add the following line immediately after it:

    <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
   

3. Save the file and restart the application.

References

• Mozilla: Server
• OWASP: Fingerprint Web Server
• Reducing Information Leakage from Apache HTTP Server
• Nginx Security Tips: Hide Version
• Securing Apache Tomcat
• CWE-16
• CWE-200
• CAPEC-118
• OWASP 2021-A5

Related Issues

• Apache Version Disclosure - Vulnerability
• Nginx Version Disclosure - Vulnerability
• ASP.NET Version Disclosure - Vulnerability
• PHP Version Disclosure - Vulnerability

Tags:

HTTP Headers

Information Disclosure

Server Misconfiguration

Web Server

Targeted Attacks

Unauthorized Access