Theme

Pro Analyzer — Available with ShieldCI Pro

Web Server Fingerprinting Analyzer

Analyzer IDCategorySeverityTime To Fix
web-server-fingerprinting🛡️ SecurityMedium5 minutes

What This Checks

This analyzer detects web server information disclosure through the Server HTTP response header by making a live HTTP request and inspecting the response:

  • Server software and version - Detects Apache, Nginx, IIS, Lighttpd, LiteSpeed, and Caddy version numbers (e.g., Apache/2.4.41, nginx/1.18.0)
  • Operating system disclosure - Flags OS information like Ubuntu, Debian, CentOS, Red Hat, Fedora, Windows
  • PHP version disclosure - Detects PHP/ version strings in headers
  • Module disclosure - Flags OpenSSL and mod_ssl version information
  • Multiple exposures - Reports all exposed information from a single response

The analyzer makes a real HTTP request to a guest route (login page or homepage) and examines the Server header in the response.

Why It Matters

The Server header reveals information that helps attackers plan targeted attacks:

  • Targeted exploit selection - Knowing the exact server version allows attackers to use known CVEs (e.g., Apache 2.4.49 path traversal CVE-2021-41773, nginx DNS resolver vulnerability CVE-2021-23017)
  • Automated vulnerability scanning - Tools like Shodan, Censys, and Nmap use server headers to build vulnerability databases
  • Reconnaissance efficiency - Reduces attacker effort by eliminating guesswork about the server stack
  • Information leakage (CWE-200) - Server headers can reveal the full stack: web server, OS, PHP version, and SSL implementation
  • Attack surface mapping - Combined with other headers, attackers can build a complete profile of your infrastructure

While security through obscurity is not a standalone defense, removing version information raises the cost of attacks and reduces automated scanning effectiveness.

How to Fix

Quick Fix (2 minutes)

Configure your web server to suppress version information:

Nginx:

nginx
# /etc/nginx/nginx.conf
http {
    # Remove version number from Server header
    server_tokens off;
}

Apache:

apache
# /etc/apache2/conf-enabled/security.conf
# Only show "Apache" without version or OS
ServerTokens Prod

# Remove server version from error pages
ServerSignature Off

Proper Fix (5 minutes)

Remove or obfuscate the Server header entirely and suppress related headers:

Nginx (complete removal):

nginx
# /etc/nginx/nginx.conf
http {
    server_tokens off;

    # Requires headers-more-nginx-module
    more_clear_headers Server;
}

Apache (complete removal):

apache
# Requires mod_headers
<IfModule mod_headers.c>
    Header unset Server
    Header always unset X-Powered-By
</IfModule>

ServerTokens Prod
ServerSignature Off

PHP - Remove X-Powered-By:

ini
; php.ini
expose_php = Off

Laravel middleware (defense in depth):

php
// app/Http/Middleware/SecurityHeaders.php
namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class SecurityHeaders
{
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);

        // Remove version disclosure headers
        $response->headers->remove('X-Powered-By');
        $response->headers->remove('Server');

        return $response;
    }
}

ShieldCI Configuration

This analyzer is automatically skipped in CI environments ($runInCI = false) and only runs in production and staging.

Why skip in CI and development?

  • The check makes actual HTTP requests to verify the Server response header, which requires a live server
  • CI and local environments don't serve with production-equivalent web server configurations
  • Server version disclosure is a web server infrastructure concern, not a code-correctness concern

When to run this analyzer:

  • Production servers: Confirms server version information is hidden
  • Staging servers: Validates header configuration before production deploy
  • Local development: Skipped (fingerprinting checks require production URL)
  • CI/CD pipelines: Skipped automatically

References

Copyright © 2026 ShieldCI