Server Information Disclosure: Why Hiding Your Stack Matters
When your web server announces its software name and version in every response header, you're handing attackers a shortcut. Here's what server information disclosure is, what it reveals, and how to suppress it.
What Is Server Information Disclosure?
Every HTTP response your school's web server sends includes headers. By default, many web servers include headers that reveal what software is running and its exact version:
```
Server: Apache/2.4.51 (Ubuntu)
X-Powered-By: PHP/7.4.3
X-Generator: WordPress 6.2.1
```
This is called server information disclosure — and it's the web equivalent of leaving your front door key under the mat with a label that says "key here."
Why This Matters
Attackers don't start by trying random attacks. They start by doing reconnaissance — figuring out exactly what software you're running so they can look up known vulnerabilities for that specific version.
With Server: Apache/2.4.51, an attacker immediately knows:
- Which Apache vulnerabilities apply (and there were critical ones for 2.4.51)
- Which attack tools to use
- Whether this server is patched or behind on updates
With X-Powered-By: PHP/7.4.3, an attacker knows:
- PHP 7.4.3 has known vulnerabilities
- The server is running an end-of-life PHP version (7.4 reached EOL in November 2022)
- Remote code execution exploits may apply
With X-Generator: WordPress 6.2.1, an attacker knows:
- Exactly which WordPress CVEs to check
- Which plugin vulnerabilities are likely present
- What automated scanners to run
Hiding this information doesn't make your server secure — but it removes the easy shortcut and forces attackers to work harder, increasing the chance they move on to an easier target.
What Gets Disclosed
| Header | What It Reveals |
|--------|----------------|
| Server | Web server software and version (Apache, Nginx, IIS) |
| X-Powered-By | Backend language and version (PHP, ASP.NET) |
| X-Generator | CMS platform and version (WordPress, Drupal) |
| X-AspNet-Version | .NET framework version |
| HTML comments | Developer notes, internal paths, version numbers |
| Error pages | Stack traces, file paths, server configuration |
How to Remove These Headers
Apache: Remove Server header
```apache
# Install mod_security or mod_headers, then in httpd.conf or .htaccess:
ServerTokens Prod
ServerSignature Off
Header unset X-Powered-By
```
Nginx: Suppress version
```nginx
server_tokens off;
```
PHP: Remove X-Powered-By
```ini
# In php.ini:
expose_php = Off
```
WordPress: Remove X-Generator and version hints
Add to your theme's functions.php or a plugin:
```php
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');
```
Cloudflare
Cloudflare strips or replaces the Server header by default for proxied domains — it will show cloudflare instead of your actual server software.
This Is One Layer, Not a Solution
Hiding version information is security through obscurity — it reduces your attack surface but is not a substitute for:
- Keeping software up to date
- Applying security patches promptly
- Running a web application firewall
- Regular vulnerability scanning
Think of it as closing a window that's already locked: the lock matters more, but there's no reason to leave the window open.
Check Your Site
The Site Scanner checks your school's response headers for server information disclosure.
Related Resources
- Sensitive Paths Exposed — another reconnaissance target
- CMS Version Exposure — WordPress/Drupal-specific version hiding
- School Cybersecurity Checklist — full hardening checklist