How to fix server information disclosure (Server, X-Powered-By)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Server information disclosure means your HTTP responses reveal the type and version of your web server, runtime, or framework. Common culprits are the Server header (e.g. nginx/1.18.0) and X-Powered-By (e.g. PHP/8.1, Express). Attackers use this to pick known exploits.
Why it matters
You don't need to advertise your stack to the world. Hiding or genericizing these headers is a small change that makes it harder for automated scanners and attackers to target you. Many compliance and security scans flag disclosure as a finding.
How to fix it
- 1
Find what you're sending
Run Barrion's server information disclosure check or look at response headers in your browser dev tools. Note Server, X-Powered-By, X-AspNet-Version, or any other header that reveals product or version.
- 2
Remove or genericize in server config
In Nginx you can set more_clear_headers Server or override with a generic value. In Apache, use Header unset Server and similar. Turn off X-Powered-By in your app server or framework if possible.
- 3
Application and framework settings
In Node/Express, disable X-Powered-By with app.disable('x-powered-by'). In PHP, set expose_php = Off in php.ini. For other runtimes, check the docs for hiding version headers.
- 4
Verify
Re-scan or inspect headers again. The goal is to avoid sending product names and versions that help an attacker.
Examples by platform
Nginx
more_clear_headers Server;
# or: add_header Server "WebServer" always;Node.js (Express)
app.disable('x-powered-by');Check your site
Run Barrion's free information disclosure check to see if this finding applies to your app and get a full report.
Run free check →
