What it is
Server information disclosure means your HTTP responses reveal the type and version of your web server, runtime, or framework. Common culprits are the Server header (e.g. nginx/1.18.0) and X-Powered-By (e.g. PHP/8.1, Express). Attackers use this to pick known exploits.
Why it matters
You don't need to advertise your stack to the world. Hiding or genericizing these headers is a small change that makes it harder for automated scanners and attackers to target you. Many compliance and security scans flag disclosure as a finding.
How it is exploited
An attacker curls your site, sees Server: nginx/1.18.0 and X-Powered-By: Express, and immediately checks CVE feeds for known issues in those exact versions. They skip generic fuzzing and go straight to working exploits for that stack, cutting hours off the recon phase. Mass scanners do the same at internet scale, so leaked versions land you on target lists faster.
How to fix it
- Find what you're sending. Run Barrion's server information disclosure check or look at response headers in your browser dev tools. Note Server, X-Powered-By, X-AspNet-Version, or any other header that reveals product or version.
- Remove or genericize in server config. In Nginx you can set more_clear_headers Server or override with a generic value. In Apache, use Header unset Server and similar. Turn off X-Powered-By in your app server or framework if possible.
- Application and framework settings. In Node/Express, disable X-Powered-By with app.disable('x-powered-by'). In PHP, set expose_php = Off in php.ini. For other runtimes, check the docs for hiding version headers.
- Verify. Re-scan or inspect headers again. The goal is to avoid sending product names and versions that help an attacker.
Examples by platform
Nginx
more_clear_headers Server;
# or: add_header Server "WebServer" always;Node.js (Express)
app.disable('x-powered-by');How to verify the fix
Confirm Server and X-Powered-By are not leaking version details:
curl -sI https://example.com | grep -iE "server|x-powered-by"