Server Leaks its Webserver Application via "Server" HTTP Response Header Field
- Risk:
Informational
- Type:
- Passive
- CWE:
- CWE-200
- Summary
The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.
- Solution
Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
- References
https://httpd.apache.org/docs/current/mod/core.html#servertokens
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks
Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely
Microsoft: Hackers target universities in “payroll pirate” attacks
Co-op says it lost $107 million after Scattered Spider attack
ChatGPT Pulse is coming to the web, but no word on free or Plus roll out
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
New FileFix attack uses cache smuggling to evade security software
SonicWall: Firewall configs stolen for all cloud backup customers
FBI takes down BreachForums portal used for Salesforce extortion
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
LowInformation Disclosure - Sensitive Information in Browser sessionStorage
InformationalUser Controllable HTML Element Attribute (Potential XSS)
InformationalVerification Request Identified
InformationalRetrieved from Cache
InformationalContent Security Policy (CSP) Report-Only Header Found
MediumCSP: Wildcard Directive
Free online web security scanner