Hide Webserver Version

Hiding Version Information in Web Servers

Purpose

Sunet continuously scans for vulnerabilities in public-facing systems. To minimize unnecessary alerts and avoid being contacted by Sunet, it is important to take preventive measures. The purpose of this guideline is to reduce false vulnerability alerts and limit exposure of technical information. Web servers should not expose version numbers or information about the underlying operating system in HTTP headers.

Exposing version information can lead to:

  • Unnecessary alerts in vulnerability scans
  • Information leakage about the system environment
  • Increased risk during targeted attacks

Verification of Current Configuration

Check what information the server exposes by running:

Example:

If the response contains, for example:

the version information is visible and the configuration needs adjustment.

Notes on verification:

  • curl --head (or curl -I) only requests the HTTP headers, not the full page content.
  • You should specifically look at the Server: header to see if it contains versions or OS information.
  • After correct configuration, headers should show only the server name, e.g., Server: nginx, or the header may be removed entirely depending on configuration.

Configuration by Web Server

Nginx (Ubuntu)

Applies to servers using Nginx on Ubuntu.

Action

  1. Open the configuration file:

  2. Ensure the following line exists in the http block. Often, server_tokens off; is already present but commented out—simply remove the # if that is the case:

    Explanation:

    • By default, Nginx sends Server: nginx/<version> (<OS>) in HTTP headers.

    • With server_tokens off;, the server will send only Server: nginx.

    • This hides the version number and operating system, reducing false vulnerability alerts.

    • Note: This does not remove the Server header completely. Removing it entirely requires the headers-more module:

  3. Restart the service:

  4. Verify the change with:

    After the change, only the following should be shown:

Apache (Ubuntu)

Applies to servers using Apache HTTP Server on Ubuntu.

Action

  1. Open the security configuration:

  2. Ensure the following settings are applied:

    Explanation:

    • ServerTokens Prod limits the header information to just Apache.
    • ServerSignature Off removes version information from error pages.

  3. Restart the service:

  4. Verify with:

Caddy

Caddy does not expose version numbers by default.

No action is required.

Requirements

  • Web servers must not expose version numbers in HTTP headers.
  • Configuration changes must be verified.
  • Checks should be included in regular security reviews and during new installations.