Security
SecurityInfo

Server Header Hidden

Checks that the Server response header does not leak version info.

What this check measures

We read the `Server` response header. "Apache/2.4.41 (Ubuntu)" tells attackers exactly what CVEs apply. Best practice: omit or use a generic value.

Why it matters

Version disclosure is not a vulnerability by itself — but it hands attackers a roadmap. Combined with a known CVE in that version, they go straight to exploitation. Low-effort hardening win.

search

How our audit detects it

Read Server header, compare against regex for "name/version" pattern. Flag if version info present.

Typical findings

  • error_outlineServer: nginx/1.18.0
  • error_outlineServer: Apache/2.4.41 (Ubuntu)

How to fix

Configure your server to omit the Server header or return a generic value ("nginx"). On Vercel/Netlify/Cloudflare this is usually default. On self-hosted Apache: `ServerTokens Prod` + `ServerSignature Off`.

Frequently asked questions

Is this really security?expand_more
Soft hardening — security through obscurity is not enough on its own, but there is no reason to hand attackers free recon.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward