Server Signature Exposure: Why You Should Hide Your Server Version

By default, most web servers eagerly announce exactly what software and version they're running. Every HTTP response includes a Server header — something like Server: Apache/2.4.52 (Ubuntu) or Server: nginx/1.22.1. This information serves no useful purpose for your visitors, but it's extremely useful for attackers who can match your exact version against known vulnerability databases. Hiding your server signature is one of the simplest and most impactful security hardening steps you can take, often requiring just a single line of configuration.

What Gets Exposed

The Server header isn't the only place your web server leaks version information. Depending on your configuration, you may also be exposing details through:

• The Server HTTP response header — Present on every single response. Check yours with the GF.dev Server Signature Test.
• Default error pages — Apache's default 404 and 500 pages include the full server signature, OS name, and sometimes even module versions at the bottom of the page.
• The X-Powered-By header — Reveals your application framework and version (e.g., PHP/8.1.12, Express, ASP.NET).
• The X-AspNet-Version or X-AspNetMvc-Version headers — .NET-specific version disclosure.
• PHP expose_php — When enabled, PHP adds an X-Powered-By: PHP/8.x.x header and even responds to special Easter egg URLs.

Run the HTTP Headers Test on your site right now. You may be surprised by how much you're revealing.

Why This Matters

Security through obscurity alone is not a strategy — but removing unnecessary information disclosure is a recognized hardening practice recommended by OWASP, CIS Benchmarks, and every major security framework. Here's why:

Automated Vulnerability Scanning

Automated scanners like Shodan, Censys, and Nmap continuously crawl the internet cataloging every server's software and version. When a critical vulnerability is disclosed (like the Apache Log4Shell or Nginx parser bugs), attackers can instantly query these databases for all servers running the affected version. If your server broadcasts nginx/1.22.1, you're in that database — and you'll be targeted within hours of any vulnerability disclosure.

Targeted Exploit Selection

A manual attacker who knows you're running Apache/2.4.49 immediately knows you're vulnerable to CVE-2021-41773 (path traversal). Without that version information, they'd need to blindly try exploits for every possible version, which is noisier, slower, and more likely to trigger intrusion detection systems.

Supply Chain Intelligence

The X-Powered-By: PHP/7.4 header tells an attacker that you're running a version of PHP that reached end-of-life in November 2022. This suggests your server is unmaintained, making you a higher-value target for further investigation.

How to Remove the Server Signature

Nginx

Add a single directive to your main nginx.conf (inside the http block):

server_tokens off;

This changes the Server header from nginx/1.24.0 to simply nginx. To remove the header entirely, you need the ngx_headers_more module:

# With headers-more-nginx-module
more_clear_headers Server;

Reload the configuration:

sudo nginx -t && sudo systemctl reload nginx

Apache

Apache has two relevant directives. Add both to your main configuration file (usually /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf):

ServerTokens Prod
ServerSignature Off

• ServerTokens Prod — Reduces the Server header from Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 PHP/8.1.2 to just Apache.
• ServerSignature Off — Removes the server information footer from generated error pages.

To completely remove the Server header in Apache, you need mod_security:

SecServerSignature " "
# Or remove it entirely:
Header unset Server

Restart Apache:

sudo apachectl configtest && sudo systemctl restart apache2

LiteSpeed

In the LiteSpeed WebAdmin Console, navigate to Configuration → Server → General and set Server Signature to No. Alternatively, edit the configuration file directly:

serverSignature        0

IIS (Internet Information Services)

IIS requires changes in web.config:

<system.webServer>
    <security>
        <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
            <remove name="X-AspNet-Version" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Removing X-Powered-By

This header is set by your application framework, not your web server, so it needs to be disabled separately:

• PHP: In php.ini, set expose_php = Off
• Express.js: app.disable('x-powered-by');
• Django: Django doesn't add this header by default — but check any middleware that might.
• Ruby on Rails: Add config.action_dispatch.default_headers.delete('X-Powered-By') to your application config.

Verification

After making changes, verify they're effective:

1. Run the GF.dev Server Signature Test — it checks the Server header and rates the exposure level.
2. Run the HTTP Headers Test — check for any remaining X-Powered-By or version-leaking headers.
3. Visit your site's 404 page and verify no server information appears in the error page HTML.
4. Use curl -I to inspect headers from the command line and confirm the changes have taken effect.

Going Further: Security Hardening

Hiding server signatures is just one layer of defense. For a complete security posture:

• Keep your server software updated — hiding the version buys time but doesn't patch vulnerabilities.
• Configure security headers like Content-Security-Policy, X-Frame-Options, and Permissions-Policy. These are covered in our HTTP Response Headers guide.
• Ensure your TLS configuration is current — outdated cipher suites are another form of information leakage.
• Run regular connectivity checks and port scans to ensure only necessary services are exposed. Our network diagnostics guide covers this process.

For a holistic view of server health and performance, see the Web Server Performance Troubleshooting pillar guide, which puts signature exposure in context alongside TTFB optimization and caching strategies.