Server Info Disclosure

When your Server header says 'Apache/2.4.49', attackers can immediately look up CVE-2021-41773 (a critical Apache path traversal vulnerability specific to that version) and know your server is vulnerable. Version disclosure turns public CVE databases into a direct attack guide. Removing version info doesn't fix vulnerabilities but removes the low-hanging fruit for automated scanners.

X-Powered-By is automatically added by many frameworks: PHP adds 'X-Powered-By: PHP/8.1.0', Express adds 'X-Powered-By: Express', ASP.NET adds 'X-Powered-By: ASP.NET'. Remove it in: PHP (expose_php = Off in php.ini), Express (app.disable('x-powered-by') or use helmet.js), ASP.NET (custom headers removal in web.config), Next.js (headers config in next.config.js).

Add 'server_tokens off;' to your nginx.conf (in the http block or server block). This changes 'Server: nginx/1.22.1' to just 'Server: nginx'. For complete removal, compile Nginx with the nginx-more module or use the OpenResty headers-more-nginx-module to set any custom Server value: 'more_set_headers Server: none'.

Yes — PCI DSS 6.2.4 requires removing unnecessary information from error messages and responses that could reveal software/version information to attackers. OWASP Top 10 includes 'Security Misconfiguration' which covers version disclosure. ISO 27001 and many enterprise security frameworks require minimizing information leakage as part of defense-in-depth.

It's defense-in-depth, not a silver bullet. A determined attacker can fingerprint your software through behavior patterns even without explicit version headers. However, it eliminates the easiest attack vector: automated vulnerability scanners (Shodan, Masscan, Nuclei) that scan millions of servers looking for specific versions. It's a minimal-effort, no-downside improvement — always worth doing.