Server Version Disclosure
Impact: Low
Description
The Server header describes the server application that handled the request. Detailed information in this header can expose the server to attackers. Using the information in this header, attackers can find vulnerabilities easier, potentially leading to targeted attacks and unauthorized access.
Recommendation
To mitigate this issue configure the web server to stop sending detailed information in the Server header.
Fix Server Version Disclosure in Apache
- Open the Apache configuration file (
httpd.conforapache2.conf) and add the following lines:ServerTokens Prod ServerSignature Off - Restart the web server.
Fix Server Version Disclosure in Nginx
- Open the Nginx configuration file (
nginx.conf) and add the following line to eitherhttp,server, orlocationsections:server_tokens off; - Restart the web server.
Fix Server Version Disclosure in Tomcat
- Open the
server.xmlfile. -
Find the
Hostsection and add the following line immediately after it:<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> - Save the file and restart the application.
References
- CWE-16
- CWE-200
- Mozilla: Server
- Nginx Security Tips: Hide Version
- OWASP 2021-A5
- OWASP: Fingerprint Web Server
- Reducing Information Leakage from Apache HTTP Server
- Securing Apache Tomcat
👉 You might also like:
Apache Version Disclosure - Vulnerability
Nginx Version Disclosure - Vulnerability
Tomcat Version Disclosure - Vulnerability
ASP.NET Version Disclosure - Vulnerability
Last updated on May 13, 2024