Information Disclosure via Server Header
Description
The 'Server' header discloses information about the web server software in use, including potential version data (e.g., Apache, nginx, IIS). Attackers can leverage this information to identify known vulnerabilities, target specific exploits, or tailor reconnaissance efforts. Such disclosure often facilitates more efficient brute-force attacks or social engineering tactics, as malicious actors can craft payloads for the disclosed server type. Additionally, knowing the underlying server can guide attackers toward default configurations, overlooked patches, or typical misconfigurations. Ultimately, exposing the 'Server' header increases the application's overall risk profile by narrowing down possible attack vectors.
Remediation
Remove or obfuscate the 'Server' header at the web server configuration level (e.g., in Apache’s httpd.conf, nginx.conf, or IIS settings). Ensure that any reverse proxies, load balancers, or container orchestration layers do not reintroduce this header. Keep the server software up to date with the latest patches and security advisories to mitigate well-known vulnerabilities. Employ a Web Application Firewall (WAF) or intrusion detection system to block or detect malicious traffic targeting specific server exploits. Regularly review logs and configurations to confirm the 'Server' header remains suppressed, thereby reducing inadvertent information disclosure.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ServerSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3