Server header exposes version information
Description
The target website returns the Server
header and version information of this website. By
exposing these values, attackers may attempt to identify if the target software is vulnerable to known
vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
vulnerability is identified in the particular version.
Remediation
We recommend that the version information be removed from the Server
header.
Apache:
For Apache-based web sites, set the ServerTokens
to Prod
in the httpd.conf
configuration file.
NGINX:
For NGINX-based websites, set the server_tokens
configuration value to off
in the nginx.conf
file.
IIS:
For IIS-based websites version 10 and later, you can use the removeServerHeader
element to the requestFiltering
section of the Web.config
file.
For all other server types, please consult your product’s documentation on how to redact the version information from
the Server
header.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.2 | true | 16 | Passive | Low |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support