When your web server announces its software name and version in every response header, you're handing attackers a shortcut. Here's what server information disclosure is, what it reveals, and how to suppress it.
Every HTTP response your school's web server sends includes headers. By default, many web servers include headers that reveal what software is running and its exact version:
Server: Apache/2.4.51 (Ubuntu) X-Powered-By: PHP/7.4.3 X-Generator: WordPress 6.2.1
This is called server information disclosure — and it's the web equivalent of leaving your front door key under the mat with a label that says "key here."
Attackers don't start by trying random attacks. They start by doing reconnaissance — figuring out exactly what software you're running so they can look up known vulnerabilities for that specific version.
With Server: Apache/2.4.51, an attacker immediately knows:
With X-Powered-By: PHP/7.4.3, an attacker knows:
With X-Generator: WordPress 6.2.1, an attacker knows:
Hiding this information doesn't make your server secure — but it removes the easy shortcut and forces attackers to work harder, increasing the chance they move on to an easier target.
| Header | What It Reveals |
|--------|----------------|
| Server | Web server software and version (Apache, Nginx, IIS) |
| X-Powered-By | Backend language and version (PHP, ASP.NET) |
| X-Generator | CMS platform and version (WordPress, Drupal) |
| X-AspNet-Version | .NET framework version |
| HTML comments | Developer notes, internal paths, version numbers |
| Error pages | Stack traces, file paths, server configuration |
# Install mod_security or mod_headers, then in httpd.conf or .htaccess: ServerTokens Prod ServerSignature Off Header unset X-Powered-By
server_tokens off;
# In php.ini: expose_php = Off
Add to your theme's functions.php or a plugin:
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');Cloudflare strips or replaces the Server header by default for proxied domains — it will show cloudflare instead of your actual server software.
Hiding version information is security through obscurity — it reduces your attack surface but is not a substitute for:
Think of it as closing a window that's already locked: the lock matters more, but there's no reason to leave the window open.
Interactive Server Info Demo: Select a server stack (Apache, Nginx, IIS) and see the version headers an attacker reads from every HTTP response — then click "Look Up CVEs" to see the exploits they'd target next.
The Site Scanner checks your school's response headers for server information disclosure.