If you are running a web server, it often shows the world what type of server it is, its version number, and sometimes even the operating system. This information is exposed in HTTP response headers and can be obtained with a simple request using a web browser or basic tools. It is commonly referred to as the web server banner.
While this information may seem harmless, it can be useful to attackers. By identifying the server software and version, they can tailor their approach and look for known vulnerabilities that match your setup.
Why server banner disclosure matters
Attackers can perform banner grabbing using simple tools like telnet or netcat, as well as automated scanners. Once they identify the server type and version, they can attempt targeted attacks or known exploits associated with that specific technology.
It’s important to note that hiding banner information does not fix underlying vulnerabilities. You still need to keep your systems patched and securely configured. However, limiting exposed details reduces the amount of information available to an attacker and can make opportunistic attacks more difficult, which makes it a basic AppSec best practice for web server hardening.
Tip: Exposed server headers are a common finding in automated web application security scans. If you’re unsure whether your applications reveal this information, an automated scan can quickly check all your web assets.
The following is an example of an HTTP response header that exposes detailed server information:
HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 10:22:31 GMT Server: Apache/2.4.57 (Unix) Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1
Limiting information provided by Apache
You can limit the information that an Apache server presents by configuring the following directives in httpd.conf:
# Reduce exposed information ServerTokens Prod ServerSignature Off # Optionally remove the Server header entirely (requires mod_headers) Header always unset Server
ServerTokens Prodensures Apache only returns the product name (for example,Server: Apache) without version numbers or OS detailsServerSignature Offprevents version details from appearing in server-generated pagesHeader always unset Serverremoves theServerheader entirely when themod_headersmodule is enabled
Limiting information provided by IIS
Modern versions of IIS (such as IIS 10 and later) allow you to control or remove the Server header directly in configuration.
A common approach is to update your web.config file:
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer>
- The
removeServerHeaderoption removes theServerheader entirely and requires IIS 10.0 or later - Removing
X-Powered-Byhelps prevent disclosure of backend technologies such as ASP.NET
Limiting information provided by nginx
You can limit the information that nginx exposes by updating your nginx.conf file. In the http block, set:
# Remove version information server_tokens off; # Remove the Server header entirely (requires headers-more module) more_clear_headers 'Server';
server_tokens offremoves version numbers from theServerheadermore_clear_headers 'Server';removes the header entirely when the headers-more module is enabled
The headers-more module is commonly available as a dynamic module in modern nginx distributions.
Handling server headers at the edge
In modern environments, applications are often deployed behind reverse proxies, load balancers, or CDNs. These components can also expose or modify server headers.
In many cases, the most effective place to control header disclosure is at the edge – for example:
- CDN services (such as Cloudflare or Akamai)
- Reverse proxies (such as nginx or Envoy)
- Web application firewalls (WAFs)
In addition to the Server header, you should also review headers like X-Powered-By, which can reveal backend technologies and are commonly flagged by security scanners.
Centralizing header control at this layer can simplify management across multiple applications and environments.
Scan your web applications for header disclosure and other security misconfigurations
Frequently asked questions about web server banner disclosure
Web servers often expose a server banner, which may include the server type (for example, nginx, Apache, IIS), version number, and sometimes operating system details. This information is returned in HTTP response headers and is visible to anyone making a request.
Banner information can help attackers identify technologies in use and match them with known vulnerabilities. For example, if a specific version is known to be affected by a published vulnerability, it becomes an easier target.
Most web servers expose banner information by default. You can reduce this exposure by adjusting server configuration settings or handling headers at the proxy or CDN level. After making changes, restart or reload your server for the configuration to take effect.
No. Removing or modifying the server header is a minor hardening step. Attackers can use other techniques to fingerprint systems, and real security depends on proper patching, secure configuration, and ongoing testing.
You can check manually using tools like curl or browser developer tools, but this approach is limited. An accurate automated web application security scanner can check all your applications at scale and identify exposed headers alongside other security misconfigurations and vulnerabilities.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Program Manager
