Home / Tools / Suppress server version disclosure in response headers
Security Headers · Scan Check Guide

Suppress server version disclosure in response headers

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Many web servers include their exact software name and version number in every response (a Server header like nginx/1.18.0), which hands attackers a shortcut — they can look up known vulnerabilities for that specific version instead of probing blind.

Server and X-Powered-By headers hand attackers a head start — "Apache/2.4.49" or "PHP/7.2.3" tells them exactly which known vulnerabilities to try first. This information has no benefit to legitimate visitors.

How to fix it

  1. 1
    Check what your server is currently revealing
    Look at your response headers for Server, X-Powered-By, and similar version-disclosing headers.
  2. 2
    Suppress the version number
    Nginx: server_tokens off; in the config. Apache: ServerTokens Prod and ServerSignature Off. Cloudflare: this is often stripped automatically at the edge.
  3. 3
    Check application-level headers too
    PHP, WordPress, and various frameworks add their own version-revealing headers (X-Powered-By: PHP/8.1) — these need separate suppression, usually in the app config.

Common mistakes

How you'll know it's done

Your response headers no longer reveal specific software version numbers.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →