Every time your website responds to a request, your server sends back a set of HTTP headers. Most are invisible to regular visitors. But buried in those headers is often a piece of information that gives attackers a significant head start: your server’s software name and exact version number.

This is called server version disclosure, and it is enabled by default on most web servers.

What Is Server Version Disclosure?

Many web servers — Apache, Nginx, IIS, and others — include a Server header in their HTTP responses that announces exactly what software is running and which version. A typical response might include:

Server: Apache/2.4.49 (Unix)

Similarly, some applications include an X-Powered-By header revealing the language or framework:

X-Powered-By: PHP/7.4.3

This information is included by default. Most server operators never disable it.

Why Does Advertising Your Server Version Matter?

On its own, knowing a server runs Apache 2.4.49 seems harmless. But attackers do not use this information manually — they use it as a lookup key.

When a security vulnerability is discovered in server software, it is assigned a CVE (Common Vulnerabilities and Exposures) number and published in publicly searchable databases. These databases record which software versions are affected. Automated scanning tools can probe thousands of websites, read their Server headers, and instantly cross-reference them against known vulnerabilities to build a prioritised target list.

In October 2021, Apache 2.4.49 was found to contain a critical path traversal vulnerability (CVE-2021-41773) allowing attackers to read files outside the web root — and in some configurations, execute arbitrary code. Attackers actively scanning for this specific version had a ready-made target list of every site advertising Server: Apache/2.4.49. Many sites were compromised in the window between disclosure and patching, and some remained vulnerable for much longer because operators did not realise they were at risk.

The Reconnaissance Problem

In cybersecurity, the first stage of most attacks is reconnaissance — gathering information about the target. Server version disclosure is free reconnaissance that your website serves up without being asked.

An attacker who knows you are running:

  • Apache on a specific minor version with known vulnerabilities
  • PHP 7.4 (which reached end-of-life in November 2022 and receives no further security updates)
  • An old version of OpenSSL

…has an immediate shortlist of vulnerabilities to try. Without that information, they would have to test blindly — a slower, noisier process that is more likely to be detected.

Removing information that helps attackers prioritise their efforts is a basic but effective reduction of your attack surface.

How to Hide Your Server Version

Disabling version disclosure is a configuration change with no functional impact on your website:

Apache: In httpd.conf or .htaccess:

ServerTokens Prod
ServerSignature Off

ServerTokens Prod reduces the header to just Apache, removing the version. ServerSignature Off removes version information from error pages.

Nginx: In nginx.conf:

server_tokens off;

This reduces the header to just nginx.

PHP: In php.ini:

expose_php = Off

This removes the X-Powered-By: PHP/x.x.x header entirely.

WordPress: WordPress broadcasts version information in the <meta name="generator"> tag, the readme.html file, and ?ver= parameters on stylesheets and scripts. Security plugins like Wordfence and Solid Security can remove or obscure most of this.

What to Do Next

  • Check what your server is revealing. Use your browser’s developer tools (Network tab, inspect response headers) or a free online header checker.
  • Disable version disclosure in your web server configuration using the settings above.
  • Remove PHP version headers via php.ini.
  • Use a WordPress security plugin if you are on WordPress to suppress version leakage from theme and plugin assets.
  • Most importantly: keep your software updated. Hiding the version buys you time against automated scans, but running current software is the real solution. If you are running the latest version of everything, advertising it matters less — though removing it remains good practice.

This is not security by obscurity in the misleading sense. The real lesson is that version disclosure is a symptom. The underlying fix is keeping your software up to date so there are no known vulnerabilities to exploit in the first place.

W3IT’s free security check checks whether your web server is disclosing version information in its response headers. Run it now to see what information your site is giving away — and get clear guidance on how to stop it.