Web server default welcome page
Description
The web server is configured with its default welcome or placeholder page, indicating that the server has not been properly configured for production use. Default pages often reveal server type, version information, and configuration details that can assist attackers in reconnaissance activities. This finding suggests incomplete deployment or an unused web service running on the system.
Remediation
If the web server is actively used, replace the default welcome page with your application content. If the server is not needed, disable or remove the web service entirely to reduce the attack surface.
For Apache servers, modify the default site configuration to point to your application or disable the default virtual host:
# Disable default site a2dissite 000-default systemctl reload apache2
For Nginx, remove or modify the default server block in
/etc/nginx/sites-enabled/default.For IIS, remove the default website or configure it with your application content through IIS Manager.
If the web server is unnecessary, stop and disable the service:
# For systemd-based systems systemctl stop [apache2|nginx|httpd] systemctl disable [apache2|nginx|httpd]
After making changes, verify that only intended content is accessible and that no default pages remain visible.