People like to say “security is hard”.
In reality, security is often just people forgetting boring, obvious things. Server headers are one of those things.
If your API responds with something like:
Server: nginx/1.18.0
Apache/2.4.49
you’ve already helped the attacker more than you think.
Why this matters in practice? Exposing an exact server version makes fingerprinting trivial:
- identify the tech
- identify the version
- map it to known CVEs
- automate exploitation
This isn’t theory. This is how large-scale attacks start.
OWASP explicitly points out that knowing the server and its version helps determine whether it’s vulnerable — especially when older or partially patched components are involved.
“But we patch regularly…” Good. Then this check passes and nobody cares. Until:
- the reverse proxy wasn’t updated
- OpenSSL lagged behind
- a rushed hotfix re-enabled “helpful” headers
And because nothing breaks, nobody notices. That’s why this issue survives in production for months.
The fix is boring (and that’s good)
- Don’t disclose server versions in headers
- Keep banners minimal
- Don’t leak framework or proxy details unless absolutely necessary
Remove version info → remove a whole class of cheap attacks.
I documented this check in more detail here
Top comments (0)