If you are running a web server, it often shows the world what type of server it is, its version number, and sometimes even the operating system. This information is exposed in HTTP response headers and can be obtained with a simple request using a web browser or basic tools. It is commonly referred to as the web server banner.
While this information may seem harmless, it can be useful to attackers. By identifying the server software and version, they can tailor their approach and look for known vulnerabilities that match your setup.
Why server banner disclosure matters
Attackers can perform banner grabbing using simple tools like telnet or netcat, as well as automated scanners. Once they identify the server type and version, they can attempt targeted attacks or known exploits associated with that specific technology.
It’s important to note that hiding banner information does not fix underlying vulnerabilities. You still need to keep your systems patched and securely configured. However, limiting exposed details reduces the amount of information available to an attacker and can make opportunistic attacks more difficult, which makes it a basic AppSec best practice for web server hardening.
Tip: Exposed server headers are a common finding in automated web application security scans. If you’re unsure whether your applications reveal this information, an automated scan can quickly check all your web assets.
The following is an example of an HTTP response header that exposes detailed server information:
HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 10:22:31 GMT Server: Apache/2.4.57 (Unix) Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1
Limiting information provided by Apache
You can limit the information that an Apache server presents by configuring the following directives in httpd.conf:
# Reduce exposed information ServerTokens Prod ServerSignature Off # Optionally remove the Server header entirely (requires mod_headers) Header always unset Server
ServerTokens Prodensures Apache only returns the product name (for example,Server: Apache) without version numbers or OS detailsServerSignature Offprevents version details from appearing in server-generated pagesHeader always unset Serverremoves theServerheader entirely when themod_headersmodule is enabled
Limiting information provided by IIS
Modern versions of IIS (such as IIS 10 and later) allow you to control or remove the Server header directly in configuration.
A common approach is to update your web.config file:
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer>
- The
removeServerHeaderoption removes theServerheader entirely and requires IIS 10.0 or later - Removing
X-Powered-Byhelps prevent disclosure of backend technologies such as ASP.NET
Limiting information provided by nginx
You can limit the information that nginx exposes by updating your nginx.conf file. In the http block, set:
# Remove version information server_tokens off; # Remove the Server header entirely (requires headers-more module) more_clear_headers 'Server';
server_tokens offremoves version numbers from theServerheadermore_clear_headers 'Server';removes the header entirely when the headers-more module is enabled
The headers-more module is commonly available as a dynamic module in modern nginx distributions.
Handling server headers at the edge
In modern environments, applications are often deployed behind reverse proxies, load balancers, or CDNs. These components can also expose or modify server headers.
In many cases, the most effective place to control header disclosure is at the edge – for example:
- CDN services (such as Cloudflare or Akamai)
- Reverse proxies (such as nginx or Envoy)
- Web application firewalls (WAFs)
In addition to the Server header, you should also review headers like X-Powered-By, which can reveal backend technologies and are commonly flagged by security scanners.
Centralizing header control at this layer can simplify management across multiple applications and environments.
Scan your web applications for header disclosure and other security misconfigurations
Frequently asked questions about web server banner disclosure
Web servers often show a web server banner, which includes information on the type of web server (for example, nginx, Apache, IIS), the version number, and the operating system. This information is available in header fields and can be read by anyone.
Read more about techniques that attackers use to discover information about the web server.
Information from the web server banner can be used by malicious hackers to prepare more efficient attacks. For example, if they immediately know that you are running Apache 2.4.38, they also know that your server is vulnerable to CVE-2019-0211 and they may attempt to exploit it.
Many servers are configured by default to expose web server banner information. To change that, you simply need to reconfigure the web server and, if necessary, restart it. After such configuration change, the web server will not expose any information about its make/version/OS.
You can check manually if your web server exposes banner information but it’s much easier and safer to check all your web servers, all your websites, and all your web applications using an automated vulnerability scanner. Such a scanner will also find any other misconfigurations and potentially critical vulnerabilities.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Program Manager
