Skip to content

[ZAP Security] Server Leaks Version Information via "Server" HTTP Response Header Field #449

Description

@github-actions

Server Leaks Version Information via "Server" HTTP Response Header Field

Risk Level: Low

Confidence: 3

Description

The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Solution

Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.

Reference

https://httpd.apache.org/docs/current/mod/core.html#servertokens

https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)

https://www.troyhunt.com/shhh-dont-let-your-response-headers/

CWE ID: 497

WASC ID: 13

Example Instance

URL: https://content-signature-2.cdn.mozilla.net/g/chains/202402/remote-settings.content-signature.mozilla.org-2026-04-17-11-20-45.chain

Method: GET

Evidence:

AmazonS3

This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-03-16
Plugin ID: 10036

Scan Metadata

  • Branch: main
  • Template Source: NuGet.org
  • Clean Template Version: 7.0.5
  • Umbraco CMS Version: 17.1.0

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions