| Details | |
|---|---|
| Alert ID | 10036-1 |
| Alert Type | Passive |
| Status | release |
| Risk | Informational |
| CWE | 200 |
| WASC | 13 |
| Technologies Targeted | All |
| Tags |
CWE-200 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-INFO-02 |
| More Info |
Scan Rule Help |
Summary
The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.
Solution
Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.Other Info
References
- https://httpd.apache.org/docs/current/mod/core.html#servertokens
- https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)
- https://www.troyhunt.com/shhh-dont-let-your-response-headers/