Learn

How to suppress Server and X-Powered-By headers

Telling the internet your exact nginx and PHP versions is free recon for attackers. Strip the chatty headers, and your stack stops shouting its CVE list.

What it is

Server information disclosure means response headers (e.g. Server, X-Powered-By) or error pages reveal the server type, version, or framework. Attackers use this to target known vulnerabilities.

Why it matters

Leaking server/version info makes it easier for attackers to choose exploits. Best practice is to suppress or genericize these headers in production. Monitoring catches disclosure so you can harden.

How Barrion checks it

Barrion inspects response headers for Server, X-Powered-By, X-AspNet-Version, and similar. We report when server or platform details are exposed and suggest removing or genericizing them. Passive header inspection only.

Configuration examples

Nginx: hide version from Server header
server_tokens off;
Apache: minimal Server header, no signature
ServerTokens Prod
ServerSignature Off

Verify it

curl -sI https://example.com | grep -iE 'server|x-powered-by'
Run this check →Fix guide

Related