Low
ISO 27001 A.8.8
CIS Controls CIS 4
Stop leaking software versions in headers and errors
Server, X-Powered-By and framework debug banners tell attackers exactly what you run and which exploits to try.
Why it matters
Version disclosure is reconnaissance made easy. It does not compromise you on its own, but it lets an attacker skip straight to the exploits that match your stack — and debug pages can leak far more.
How to fix it
Suppress version banners, remove X-Powered-By, turn off debug/stack-trace pages in production, and return generic error pages.
# nginx
server_tokens off;
# PHP: hide version + disable display_errors
expose_php = Off
display_errors = Off
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.