WebSentry
Log inSign up free
All articles
Server SecurityInformation DisclosureConfiguration

How to Hide Server Information and Stop Technology Fingerprinting

Server headers, X-Powered-By, and meta generator tags tell attackers exactly what software your site runs. Learn how to remove them across Nginx, Apache, Node.js, PHP, and .NET.

WebSentry TeamApril 26, 20266 min read

Why Hiding Server Info Matters

When someone visits your website, your server sends back more than just the page — it also sends HTTP response headers. Among these headers, a surprising number of sites accidentally broadcast what software they're running, which version it is, and sometimes even the language their application is built in.

This is called technology fingerprinting, and attackers use it to narrow down which known vulnerabilities to try against your site. It doesn't matter whether your site is actively vulnerable — knowing you're running Apache 2.4.49 on PHP 7.4 gives an attacker a precise shortlist to work from.

When WebSentry scans your site, the server check inspects these headers and flags anything that reveals unnecessary details.

The Headers That Leak Information

Server

The most common offender. A banner like Server: Apache/2.4.52 (Ubuntu) tells an attacker your server software, its exact version, and your OS in one line. The version number is the dangerous part — it can be matched to a CVE list in seconds.

X-Powered-By

Often set automatically by frameworks. Common values: X-Powered-By: PHP/8.1.2, X-Powered-By: Express, X-Powered-By: ASP.NET. Remove it entirely — it provides zero value to legitimate visitors.

X-AspNet-Version / X-AspNetMvc-Version

These are added by .NET applications by default and expose your exact framework version. There's no reason to send them.

X-Generator

Added by some CMS platforms to announce the platform that generated the page. Disable it.

How to Remove These Headers

Nginx

server_tokens off;

To fully remove or replace the header, install the headers-more module:

more_clear_headers Server;

Apache

ServerTokens Prod
ServerSignature Off

To remove it entirely using mod_headers:

Header unset Server
Header always unset X-Powered-By

Node.js / Express

app.disable('x-powered-by');
// Or use helmet:
import helmet from 'helmet';
app.use(helmet());

PHP

In php.ini:

expose_php = Off

ASP.NET

In web.config:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
</system.webServer>

Cloudflare

If you're behind Cloudflare, it replaces the Server header with cloudflare automatically — that's fine and expected. WebSentry recognises this and won't flag it.

What About the Meta Generator Tag?

The <meta name="generator"> tag in your HTML also announces your CMS. Remove it. In WordPress:

remove_action('wp_head', 'wp_generator');

Summary

The goal isn't to hide that you have a server — it's to not volunteer information that attackers can weaponise. Run a WebSentry scan to see exactly what your server is giving away.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousHTTP Redirect Security: Preventing Open Redirects and Hijacked Redirect ChainsNext Permissions Policy: Control What Browser Features Your Site Can Use