Server header has versioning

Rule from http under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

By displaying the version of your web server, and even the name, you are creating an opportunity for malicious intruders to attack your web application and/or server. Removing any sensitive information of this kind from HTTP headers will make it far more difficult for an attacker to determine whether your server is vulnerable to an attack. It ought to be noted that this is not a guaranteed way of stopping hacking attempts, but it will make it harder for people to deliver an attack.

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 01 Dec 2015 09:57:42 GMT
Content-Type: text/html
Content-Length: 12
Last-Modified: Wed, 25 Nov 2015 16:00:16 GMT

How do I fix this ?

  • nginx: specify server_tokens off; in either a global configuration, server configuration or location configuration.
  • Apache: specify ServerTokens Prod in your top-most .htaccess configuration file.

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started