Server Version Disclosure
Impact: Informational
Description
The Server header describes the server application that handled the request. Detailed information in this header can expose the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.
Recommendation
Configure the webserver to stop sending detailed information in the Server header.
Fix Server Version Disclosure in Apache
Open the Apache configuration file (httpd.conf or apache2.conf) and add below lines to it.
ServerTokens Prod
ServerSignature Off
Restart the web server.
Fix Server Version Disclosure in Nginx
- Open the Nginx configuration file (
nginx.conf) and add below line to eitherhttp,server, orlocationsections. server_tokens off;- Restart the web server
Fix Server Version Disclosure in Tomcat
- Open the
server.xmlfile - Find the
Hostsection and, add below line next after it <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />- save the file and restart application
References
- Mozilla: Server
- OWASP: Fingerprint Web Server
- CWE-200
- OWASP 2007-A6
- OWASP 2021-A1
- OWASP 2017-A6
- OWASP 2021-A5
- CWE-16
👉 You might also like:
PHP Version Disclosure - Vulnerability
ASP.NET Version Disclosure - Vulnerability
Apache Version Disclosure - Vulnerability
Nginx Version Disclosure - Vulnerability
Last updated on June 29, 2022