HTTP security headers

Server Banner & Technology Disclosure

Why Server and X-Powered-By headers that reveal software versions hand attackers a head start, and how WebGuard flags them.

Last updated June 9, 2026

What it is

Response headers such as `Server`, `X-Powered-By`, `X-AspNet-Version`, `X-AspNetMvc-Version`, and `X-Generator` can announce the exact software, and often the precise version, running on your public edge.

Why it matters

Version detail lets an attacker match known vulnerabilities to your stack without any probing, turning broad scanning into a targeted shortlist. Suppressing or genericizing these banners removes that free reconnaissance. A banner that includes a version number is a stronger signal than a bare product name.

How WebGuard checks it

WebGuard reads your response headers and reports when `Server`, `X-Powered-By`, `X-AspNet(-Mvc)-Version`, or `X-Generator` expose product or version detail. It only inspects headers your public site already returns; it does not probe or fingerprint beyond that.

A sensible starting configuration:

Prefer a generic banner (e.g. `Server: nginx`) over one with a version (`Server: nginx/1.18.0`); remove X-Powered-By entirely.

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.