Error page web server version disclosure
Description
Web servers may inadvertently disclose their version numbers and enabled modules through error pages and HTTP response headers. This information leakage occurs when servers are not properly configured to suppress technical details in error messages.
Invicti identified that the target web server is exposing its version number and a list of installed modules. This information can be found in error responses or server headers. Review the 'Attack details' section to see the specific pages and responses where this disclosure was detected.
Remediation
Configure your web server to suppress version information and module details in error pages and HTTP response headers. Implementation steps vary by server type:
Apache HTTP Server:
Edit your Apache configuration file (httpd.conf or apache2.conf) and add or modify the following directives:
ServerTokens Prod ServerSignature OffThis configuration limits the Server header to "Apache" only and removes version information from error pages.
Nginx:
Add the following directive to your nginx.conf file within the http, server, or location block:
server_tokens off;This prevents Nginx from displaying its version number in error pages and the Server header.
Microsoft IIS:
Remove the Server header by installing the URL Rewrite module and adding an outbound rule, or by modifying the web.config file:
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>After making these changes, restart your web server and verify that version information is no longer disclosed by testing error pages and examining HTTP response headers.