Free Tool

Free Server Information Disclosure Checker

Check whether a website leaks its server software and version through Server, X-Powered-By, and similar headers that help attackers fingerprint it.

Free and instant. No account or signup needed.

What this checker tests

Before attacking a website, an intruder usually starts by reading its response headers. This step is called banner grabbing, and it is the fingerprinting stage of an attack. The Server header might announce the web server and version, the X-Powered-By header often names the language or framework, and a few related headers reveal the application stack. Each detail narrows down what software is running so the attacker knows where to aim.

This checker fetches the live response from the URL you enter and reports the Server value, the X-Powered-By value, and any other headers that disclose software details. If none of them expose a precise banner, you get a clean result. If they do, you see exactly what is leaking so you can shut it off.

Why version disclosure helps attackers

A version number is a map to known vulnerabilities. When a header reads nginx/1.18.0 or PHP/7.4.3, an attacker can search public CVE databases for that exact build and immediately know which published exploits might work, with no guesswork and no noisy probing that might trip an alarm. Removing the version, and ideally the whole header, takes that shortcut away and forces an attacker to spend effort they would rather not spend. For the full background, see the information disclosure guide.

How to remove or mask these headers

On Nginx, set server_tokens off in the http or server block to drop the version from the Server header, and if you sit behind a proxy, strip the upstream header with proxy_hide_header X-Powered-By so nothing leaks through. On Apache, set ServerTokens Prod and ServerSignature Off in the main configuration to trim the Server banner down to a bare product name. In an Express app, call app.disable('x-powered-by') once at startup, or use a package such as helmet that removes it for you along with other hardening. After you change any of these, run this checker again to confirm the headers are gone.

Frequently asked questions

What is a server information disclosure checker?

A server information disclosure checker fetches a website's response headers and tells you whether the Server, X-Powered-By, or similar headers reveal the exact software and version a site runs. SiteSecurityScore checks this live by scanning the URL you enter, no signup needed.

Why does revealing the server software matter?

When a header says something like nginx/1.18.0 or PHP/7.4.3, an attacker can look up every known vulnerability for that exact version and try them against your site. Hiding the version forces them to work harder and removes an easy shortcut to known exploits.

What headers leak server information?

The most common are Server and X-Powered-By, but version details also leak through X-AspNet-Version, X-AspNetMvc-Version, and verbose framework or cache headers. This checker flags the Server and X-Powered-By values it sees plus any other disclosing headers in the response.

Is it always bad to send a Server header?

A short product name on its own is low risk. The real problem is version numbers and stack details, because they map directly to published vulnerabilities. The safest choice is to remove the version, and ideally the header, so there is nothing precise to fingerprint.

How do I remove the Server and X-Powered-By headers?

On Nginx set server_tokens off and strip the header at the proxy, on Apache set ServerTokens Prod and ServerSignature Off, and in Express call app.disable('x-powered-by'). The educational section on this page shows the exact configuration for each.

Related tools

Security Headers CheckerInformation Disclosure guideAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan