logo

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

  • Risk:
  • Informational

  • Type:
  • Passive
Summary

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Solution

Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.

References

https://httpd.apache.org/docs/current/mod/core.html#servertokens

https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)

https://www.troyhunt.com/shhh-dont-let-your-response-headers/

Free security scan for your website