How do I fix server version on Magento Open Source?

Same server-level steps as Adobe Commerce (on-premises) above apply directly to Magento Open Source. On Nginx: add `server_tokens off;` to nginx.conf and use headers_more module to fully strip the Server header. On Apache: set `ServerTokens Prod` and `ServerSignature Off` in httpd.conf; add `Header unset X-Powered-By` in the vhost or .htaccess. Set `expose_php = Off` in php.ini to prevent PHP version disclosure via X-Powered-By. Restart the web server after changes and verify with `curl -I https://yourstore.com`.

How to fix server version on Magento Open Source

Remove or suppress the Server version header so your web server software and version number are no longer exposed in every HTTP response.

Steps for Magento Open Source

Same server-level steps as Adobe Commerce (on-premises) above apply directly to Magento Open Source.
On Nginx: add `server_tokens off;` to nginx.conf and use headers_more module to fully strip the Server header.
On Apache: set `ServerTokens Prod` and `ServerSignature Off` in httpd.conf; add `Header unset X-Powered-By` in the vhost or .htaccess.
Set `expose_php = Off` in php.ini to prevent PHP version disclosure via X-Powered-By.
Restart the web server after changes and verify with `curl -I https://yourstore.com`.

Official Magento Open Source documentation ↗

# Apache (httpd.conf or .htaccess)
ServerTokens Prod
ServerSignature Off
Header unset X-Powered-By

# Nginx (nginx.conf — inside http{} or server{} block)
server_tokens off;
# (requires headers_more module for full removal:)
more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';

# PHP (php.ini)
expose_php = Off

# Next.js (next.config.js)
module.exports = { poweredByHeader: false }

What is server version?

Every time a visitor's browser (or a bot) loads a page on your store, your web server sends back a set of invisible "response headers." One of these is the `Server` header, and by default most web servers announce themselves with their exact name and version number — for example, `Server: Microsoft-IIS/10.0` or `Server: Apache/2.4.51`. A related header, `X-Powered-By`, can also reveal the scripting language or framework version (e.g., `X-Powered-By: PHP/8.1.2`). Together these are called "server version disclosure" or "banner grabbing." Neither header has any meaningful purpose for shoppers — they exist purely as leftover defaults.

Advertising your exact server software and version is like posting a sign on your shop door listing every lock brand and model you use. Automated attack tools (bots) continuously scan the internet for sites running specific software versions with known vulnerabilities. When your version is visible, your store becomes an easy target: attackers can instantly match your version against published vulnerability databases (CVE lists) and launch targeted exploits — without any guesswork. Suppressing these headers does not make your server invulnerable, but it removes you from the easiest tier of automated attack campaigns. It also demonstrates security hygiene to enterprise buyers and payment-card auditors (PCI DSS Requirement 2.2.7 addresses unnecessary information disclosure), reducing compliance friction.

See the complete Server version guide for every platform and the full background.

Not sure if your Magento Open Source store has this?

Run a free SEOLZ audit — we’ll find server version and every other issue across your whole site.

Scan my site free

How to fix server version on Magento Open Source

Steps for Magento Open Source

What is server version?

Not sure if your Magento Open Source store has this?

Fix server version on another platform