⚠️ EDUCATIONAL DEMO: Shows how server version headers help attackers identify exploitable vulnerabilities. CVE data shown is real; no actual exploit is performed.
Server Information Disclosure Demo
When the server announces its software version in response headers, attackers skip straight to known exploits — no guessing needed.
THE SECURITY RISK IN PLAIN ENGLISH
Think of it like wearing a name tag that says "I use the lock with CVE-2023-25690 which has a known master key."
Every web server sends HTTP response headers. By default, Apache sends Server: Apache/2.4.51 (Ubuntu), PHP adds X-Powered-By: PHP/7.4.3, WordPress adds X-Generator: WordPress 6.2. This tells attackers the exact software and version — and they immediately know which CVEs to try.
Hiding this information doesn't make the server secure on its own — but it removes the easy shortcut. Attackers move on to easier targets that announce themselves. The fix is literally one config line per server type.
❌ Verbose Headers (Vulnerable)
✅ Hardened Headers (Protected)
🛡️ Nothing to look up.
The server header shows only "Server: webserver" — no software name, no version. Without a version number, automated scanners can't match this server to a CVE database.
The attacker has to actively probe and guess the stack — much slower, noisier (detectable), and more likely to make them move on to an easier target.
❌ Current State (Verbose Headers)
Server, PHP version, and CMS fully disclosed in every HTTP response
Automated scanners match version → CVE database in milliseconds
Unpatched versions (especially EOL PHP 7.x) have critical known exploits
Attackers can build a targeted exploit list before sending a single malicious request
Also useful for attackers during reconnaissance phase to prioritize targets
✅ Fix (Suppress Version Headers)
Apache: ServerTokens Prod and ServerSignature Off in httpd.conf
Nginx: server_tokens off; in nginx.conf
PHP: expose_php = Off in php.ini
WordPress: remove X-Generator via remove_action('wp_head', 'wp_generator')
IIS: remove X-Powered-By in web.config and suppress via URL Rewrite module