⚠️ EDUCATIONAL DEMO: Shows how server version headers help attackers identify exploitable vulnerabilities. CVE data shown is real; no actual exploit is performed.

Server Information Disclosure Demo

When the server announces its software version in response headers, attackers skip straight to known exploits — no guessing needed.

THE SECURITY RISK IN PLAIN ENGLISH

Think of it like wearing a name tag that says "I use the lock with CVE-2023-25690 which has a known master key."

Every web server sends HTTP response headers. By default, Apache sends Server: Apache/2.4.51 (Ubuntu), PHP adds X-Powered-By: PHP/7.4.3, WordPress adds X-Generator: WordPress 6.2. This tells attackers the exact software and version — and they immediately know which CVEs to try.

Hiding this information doesn't make the server secure on its own — but it removes the easy shortcut. Attackers move on to easier targets that announce themselves. The fix is literally one config line per server type.

❌ Verbose Headers (Vulnerable)
✅ Hardened Headers (Protected)
🛡️ Nothing to look up.

The server header shows only "Server: webserver" — no software name, no version. Without a version number, automated scanners can't match this server to a CVE database.

The attacker has to actively probe and guess the stack — much slower, noisier (detectable), and more likely to make them move on to an easier target.

❌ Current State (Verbose Headers)

  • Server, PHP version, and CMS fully disclosed in every HTTP response
  • Automated scanners match version → CVE database in milliseconds
  • Unpatched versions (especially EOL PHP 7.x) have critical known exploits
  • Attackers can build a targeted exploit list before sending a single malicious request
  • Also useful for attackers during reconnaissance phase to prioritize targets

✅ Fix (Suppress Version Headers)

  • Apache: ServerTokens Prod and ServerSignature Off in httpd.conf
  • Nginx: server_tokens off; in nginx.conf
  • PHP: expose_php = Off in php.ini
  • WordPress: remove X-Generator via remove_action('wp_head', 'wp_generator')
  • IIS: remove X-Powered-By in web.config and suppress via URL Rewrite module