Server Header Disclosure

The Server response header is the simplest fingerprint your origin sends. "Server: Apache/2.4.41 (Ubuntu)" tells an attacker the exact version of Apache, which OS family it is on, and (in some cases) the package vintage. From there, public CVE databases narrow attack research from "all web servers" to "this specific version". This check scores per primary host and rewards genericized, absent, or CDN-pass-through Server headers.

How the check works

Per primary host, the check reads the Server header and assigns one of five tiers:

• Tier "absent" (1.0 score): no Server header at all. Best.
• Tier "cdn_proxy_pass" (1.0): value contains a known CDN/proxy substring (cloudflare, cloudfront, fastly, akamai, netlify, vercel, azurefd, gfe/, google frontend, incapsula, imperva, stackpath, edgio). The fingerprint is the CDN, not your origin; treated as okay.
• Tier "generic_nginx_pass" (1.0): value is exactly nginx with no version digits. Software name without version is allowed for the most-deployed web server because the value is so common it carries minimal recon value.
• Tier "software_name_only" (~0.68): value names a server (Apache, IIS, etc.) but no version. Reason: server_software_identifiable.
• Tier "version_disclosed" (0.0): value contains a version number pattern (digits.digits). Reason: server_version_exposed.

Per-host scores are weighted (apex highest) and averaged across all primary hosts. Verdict thresholds: pass at 0.9 and above, warn at 0.45 and above, fail below.

How the verdict maps to evidence

• Pass: every primary host scores at or near 1.0 (absent, CDN, or generic nginx).
• Warn: at least one host on the software-name tier (named server, no version).
• Fail: at least one host exposing version, or a mix dragging the weighted average below 0.45.

Evidence shows host_rows with each host's server_observed value and the assigned tier.

Special states

• Not Applicable: domain redirects to a different site, or primary serves a default/empty placeholder.
• Degraded: probe data unavailable. Fix Web Assessability first.

Fix: hide or genericize the Server header

The fastest path to full credit is to put your origin behind a CDN that sets its own Server header (Cloudflare, CloudFront, Fastly). Otherwise, configure each web server to suppress version output. Removing the header entirely is best, but most stacks make genericizing easier than removing.

nginx

# In the http {} block of nginx.conf:
http {
    server_tokens off;     # removes version from Server header
    ...
}

# Result: Server: nginx (no version), passes the check at the
# generic_nginx_pass tier.

# nginx-extras package on Debian/Ubuntu, or compile with
# --add-module=ngx_headers_more
more_clear_headers Server;

Apache

# In httpd.conf or apache2.conf (server-wide):
ServerTokens Prod          # Server: Apache (no version, no OS)
ServerSignature Off        # No server signature in error pages

# Result: Server: Apache (named server, no version)
# This lands at tier "software_name_only" (~0.68), not full pass.
# To get full credit, put Apache behind a CDN that overwrites the header.

IIS

<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

On older IIS (pre-10), use URL Rewrite to remove the header outbound. ASP.NET Core hosted in-process via Kestrel: builder.WebHost.UseKestrel(o => o.AddServerHeader = false).

Behind a CDN

• Cloudflare: orange-cloud the record. Cloudflare overwrites Server with "cloudflare" automatically. Origin's Server header is never seen by clients.
• AWS CloudFront: by default the origin's Server header passes through. Use a Response Headers Policy to remove or override it.
• Fastly: configure a vcl_deliver rule to set Server header explicitly.
• Akamai, Imperva, Sucuri: each provider has a header-rewrite control in their portal.

Verify the fix

• curl -sI https://yourdomain.tld | grep -i ^server: shows the current Server header. Look for absence, a CDN value, or a name without a version.
• Repeat for every primary host (apex, www, api, etc.). Each is scored independently.
• Re-run the RedScore lookup. Pass requires no version on any primary host.

Common pitfalls

• Hidden version still leaks via X-Powered-By or other headers. Server is one header in this check; X-Powered-By is scored separately under Framework Disclosure. Both need to be cleaned up.
• Header set at one layer, version still leaks at another. Origin sets Server: Apache/2.4.x; CDN strips and replaces. Strict-mode WAFs that probe the origin directly still see the version. Strip at both layers if origin is reachable.
• Different hosts behind different infrastructure. Apex behind CDN (clean Server header), api.yourdomain.tld direct to origin (Apache version exposed). Both count toward the rollup. Front everything with the same edge or genericize per-host.
• ServerSignature still on. Apache's ServerSignature directive controls verbose footers in error pages, separate from ServerTokens. With Off, error pages stop showing the version even if Server header is hidden.
• Reverse proxy adds its own Server header. Some WAFs and load balancers add Server: WAF-Vendor on outbound. Reads as a CDN-pass tier here (full credit), but expand the check by reviewing other diagnostic headers (Via, X-Cache, etc.) for any version leaks.
• Confidence-by-obscurity argument. Hiding the version does not patch known vulnerabilities; it just removes the cheapest recon signal. Pair with the actual fix: keep your server software updated (see Stack Exposure Profile).