Ask HN: Why do web servers still reveal their type and version in headers? Isn't that inviting bad actors to scour the web for servers with just the right vulnerability?
What's to gain by revealing that? |
Ask HN: Why do web servers still reveal their type and version in headers? Isn't that inviting bad actors to scour the web for servers with just the right vulnerability?
What's to gain by revealing that? |
In NGinx one can get rid of this without recompiling by adding the "nginx-mod-http-headers-more" module and adding to nginx.conf:
more_set_headers 'Server: IIS/4.0'; # or whatever
HAProxy and most load balancer daemons can filter out or replace the Server header. Apache requires a recompile to drop the Server header unless one puts HAProxy in front of it due to the order in how headers are processed. In HAProxy: http-response set-header Server Silly
or http-response del-header Server
After making changes one can scan their headers in SecurityHeaders [1] to see what has changed, or use curl: curl --head https://some.tld/
As to why they still display this? Showing off in crawler stats who is dominate on the internet.Had not thought of that.
[1] - https://news.netcraft.com/archives/category/web-server-surve...
[2] - https://news.netcraft.com/images/2022/10/wss-share.png