Security fix guide
INFO

Server Version in HTTP Headers

Your web server is announcing its software and version number. Learn how to suppress it.

What is this?

Your web server (Apache, Nginx, LiteSpeed, or another) automatically includes its name and version in every response it sends. This header is called "Server" and it looks like: Server: Apache/2.4.51 (Ubuntu). Most browsers quietly ignore it, but it's readable by anyone intercepting network traffic or using developer tools.

Why does it matter?

When an attacker knows you're running Apache 2.4.51, they can search the CVE database for vulnerabilities specific to that version and test those first. It's a minor signal that makes it marginally easier to target your server. Suppressing it is low effort and best practice — even though it's not a critical vulnerability on its own.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Log in to cPanel → File Manager → public_html.

2

Open (or create) .htaccess and add:

ServerSignature Off

Note: Full suppression of the Server header usually requires server-level access. If the scan still shows a server version after this, contact your host and ask them to set ServerTokens to Prod.

For developers / SSH access
1

For Apache — edit the security config:

sudo nano /etc/apache2/conf-available/security.conf
2

Find or add these two lines:

ServerTokens Prod
ServerSignature Off
3

Restart Apache:

sudo systemctl restart apache2
4

For Nginx — edit nginx.conf:

sudo nano /etc/nginx/nginx.conf
5

Inside the http {} block, add:

server_tokens off;
6

Restart Nginx:

sudo systemctl restart nginx

How to verify the fix

Re-run your scan. You can also check manually via your browser's developer tools (F12 → Network tab → reload page → click any request → look at Response Headers). The Server header should now just say "Apache" or "nginx" with no version number.

Re-run your scan to confirm this is resolved →

Related issues

PHP Version Exposed

Your server is broadcasting which version of PHP it runs. Learn how to hide it in a few steps.

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Simple ($49)