Info disclosure server

Quick win

Remove or obscure the Server HTTP response header so your web server software name and version are no longer exposed to the public internet.

What it is

Every time a browser (or a hacker's scanner) requests a page from your store, your web server sends back a response that often includes a `Server` header — a small piece of text that announces exactly what software is running, right down to the version number (e.g., `Microsoft-IIS/10.0`, `Apache/2.4.51`, or `nginx/1.18.0`). This is called information disclosure. Removing or blanking that header is a simple configuration change that stops your store from broadcasting its technology stack to anyone who looks.

Why it matters

Attackers routinely scan millions of sites looking for specific server versions with known security vulnerabilities — your `Server` header is a free map that tells them exactly which exploits to try. Exposing it significantly lowers the effort required to target your store, putting customer data, payment information, and your reputation at risk. OWASP lists this pattern under A05:2021 Security Misconfiguration, one of the most common causes of real-world breaches. Removing the header doesn't fix every vulnerability, but it removes the signpost that guides attackers to them, and it is expected by PCI DSS compliance auditors.

How to fix it

Identify where your Server header is being set — it is emitted by your web server (Apache, nginx, IIS, LiteSpeed, etc.), your hosting control panel, or a CDN/proxy layer (Cloudflare, Fastly, etc.) in front of your store.
If you control the web server config directly, edit the appropriate config file: for Apache set `ServerTokens Prod` and `ServerSignature Off`; for nginx set `server_tokens off;`; for IIS use the URL Rewrite module or the `removeServerHeader` setting in web.config to strip the header.
If your store sits behind a CDN or reverse proxy (Cloudflare, Fastly, AWS CloudFront), apply a response-header transform rule at the CDN layer to remove or overwrite the `Server` header — this is often the fastest path and requires no server access.
After making the change, restart or reload the web server / CDN configuration so it takes effect.
Verify the fix by opening your browser DevTools (F12 → Network tab → click any request → Headers), or use a command like `curl -I https://yourstore.com` and confirm the `Server` header is either absent or returns a generic value (e.g., just `server: cloudflare` with no version).
Document the change and re-test after any platform upgrade, since updates can sometimes re-enable verbose headers.

## Apache (.htaccess or httpd.conf)
ServerTokens Prod
ServerSignature Off
Header unset Server

## nginx (nginx.conf — inside http{} or server{} block)
server_tokens off;

## IIS (web.config — inside <system.webServer>)
<security>
  <requestFiltering removeServerHeader="true" />
</security>

## Cloudflare Transform Rule (via dashboard UI)
# Rules → Transform Rules → Modify Response Header
# Operation: Remove
# Header name: server

Fix it on your platform

Pick your platform for the exact steps.

How to fix info disclosure server on Shopify

Shopify's infrastructure automatically manages all HTTP response headers at its edge network — store owners cannot access the underlying web server config.
The `Server` header emitted by Shopify's own CDN (e.g., `server: shopify`) does not expose exploitable version strings; this is handled by Shopify and is outside merchant control.
If you are using a custom domain proxied through Cloudflare: log in to Cloudflare → select your domain → Rules → Transform Rules → Modify Response Header → Create a rule to REMOVE the `Server` header. Set 'When incoming requests match… all requests' and 'Then… Remove → Header name: server'. Save and deploy.
Verify by opening DevTools → Network → reload any page → inspect response headers for the absence or sanitization of `Server`.

Full Shopify guide →Official Shopify docs ↗

How to fix info disclosure server on Shopify Plus

Same as Shopify — the underlying server infrastructure is fully managed by Shopify and cannot be changed by merchants.
For enterprise setups with a custom reverse proxy or WAF in front of your Shopify Plus storefront, configure that proxy layer to strip or overwrite the upstream `Server` header before it reaches end users.
If using Cloudflare (common for Plus): Cloudflare dashboard → your domain → Rules → Transform Rules → Modify Response Header → add a Remove rule for the `Server` header.

Full Shopify Plus guide →Official Shopify Plus docs ↗

How to fix info disclosure server on WooCommerce

WooCommerce runs on WordPress, which runs on a web server you (or your host) control — the fix lives at the server or hosting level, not inside WordPress itself.
For Apache hosting: connect via SSH or your host's File Manager, open (or create) the `.htaccess` file in your site root, and add: `Header unset Server` and `Header always unset Server`. Ensure `mod_headers` is enabled.
For nginx hosting: ask your host or edit `/etc/nginx/nginx.conf` (or the server block for your site) — add `server_tokens off;` inside the `http {}` or `server {}` block, then run `nginx -s reload`.
For managed WordPress hosts (WP Engine, Kinsta, Flywheel, SiteGround): open a support ticket requesting that the `Server` header be removed or suppressed — many do this automatically or have a one-click security hardening option in their dashboard.
Alternatively, install the 'HTTP Headers' plugin (by WebFactory Ltd) from the WordPress plugin directory: Plugins → Add New → search 'HTTP Headers' → Install & Activate → navigate to Settings → HTTP Headers → Response Headers tab → add a rule to remove the `Server` header.
Verify with `curl -I https://yourstore.com` and check that `Server` is absent or generic.

Full WooCommerce guide →Official WooCommerce docs ↗

How to fix info disclosure server on WordPress.org

The fix is at the web server layer, not inside WordPress core or a theme.
For Apache: add `Header unset Server` to your `.htaccess` or virtual host config (requires `mod_headers`). For nginx: add `server_tokens off;` to your `nginx.conf` server block.
Use the 'HTTP Headers' plugin (Settings → HTTP Headers → Response Headers) to remove the `Server` header without editing server config files directly.
Verify with browser DevTools (F12 → Network → any request → Response Headers) that `Server` is absent or shows no version string.

Full WordPress.org guide →Official WordPress.org docs ↗

How to fix info disclosure server on BigCommerce

BigCommerce is a fully hosted SaaS platform — the underlying web server and CDN headers are managed by BigCommerce and are not configurable by merchants.
BigCommerce's infrastructure does not expose exploitable server version strings in the `Server` header by design.
If you have a custom domain behind Cloudflare: Cloudflare dashboard → your domain → Rules → Transform Rules → Modify Response Header → Create rule → Remove header named `server`. Deploy the rule.
If you are concerned about a scanner finding on your BigCommerce store, contact BigCommerce support to confirm whether any actionable misconfiguration exists.

Full BigCommerce guide →Official BigCommerce docs ↗

How to fix info disclosure server on Wix

Wix is a fully hosted platform — you have no access to the underlying web server configuration, and Wix manages all response headers at the infrastructure level.
Wix does not expose detailed server version strings to end users by design.
If your Wix site uses a custom domain proxied through Cloudflare (Wix does not officially support full Cloudflare proxying, but some setups use it): apply a Transform Rule in Cloudflare to remove the `Server` header as described in the Cloudflare steps above.
If a scanner flags a `Server` header on a Wix site, contact Wix Support — merchants cannot resolve this independently.

Full Wix guide →Official Wix docs ↗

How to fix info disclosure server on Squarespace

Squarespace is a fully hosted platform with no access to server configuration for merchants.
Squarespace manages its own CDN and response headers; exploitable server version strings are not exposed.
If a penetration test or scanner flags a `Server` header on a Squarespace-hosted domain, report it to Squarespace support — this is outside merchant control.
If you proxy your Squarespace site through Cloudflare, use Cloudflare → Rules → Transform Rules → Modify Response Header to remove the `Server` header at the edge.

Full Squarespace guide →Official Squarespace docs ↗

How to fix info disclosure server on Webflow

Webflow hosting is fully managed — merchants cannot access the underlying server configuration.
Webflow serves sites through its own CDN (powered by Fastly) and does not expose exploitable server version strings by design.
If you use a custom domain with Cloudflare in front of Webflow: Cloudflare dashboard → your domain → Rules → Transform Rules → Modify Response Header → add a Remove rule for the `Server` header.
For Webflow Enterprise with a custom reverse proxy, work with your infrastructure team to strip the `Server` header at the proxy layer.

Full Webflow guide →Official Webflow docs ↗

How to fix info disclosure server on Adobe Commerce (Magento)

Adobe Commerce is typically self-hosted or hosted on Adobe Commerce Cloud — you (or your DevOps team) control the server stack.
For nginx (most common): SSH into the server, edit `/etc/nginx/nginx.conf` or the Magento vhost config, add `server_tokens off;` inside the `http {}` or `server {}` block, then reload nginx: `sudo nginx -s reload`.
For Apache: edit the main `httpd.conf` or the vhost `.conf` file — add `ServerTokens Prod` and `ServerSignature Off`, then restart Apache: `sudo systemctl restart httpd`.
For Adobe Commerce Cloud (cloud.magento.com): add the header suppression in `.magento/routes.yaml` or via a Fastly custom VCL snippet in the Magento Admin → Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration → Custom VCL Snippets, adding a `recv` or `deliver` snippet to unset `beresp.http.Server`.
Verify: `curl -I https://yourstore.com` — the `Server` header should be absent or show only a generic value with no version number.

Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗

How to fix info disclosure server on Magento Open Source

Same web-server-level fix as Adobe Commerce: for nginx add `server_tokens off;`, for Apache add `ServerTokens Prod` and `ServerSignature Off` to the server config.
If hosted on a shared host with cPanel: log in to cPanel → File Manager → edit `.htaccess` in the site root → add `Header unset Server` (requires `mod_headers` to be enabled by your host).
Alternatively, install a WAF or reverse proxy (e.g., Cloudflare free tier) in front of your Magento store and configure it to strip the `Server` header.
Verify with `curl -I https://yourstore.com`.

Full Magento Open Source guide →Official Magento Open Source docs ↗

How to fix info disclosure server on PrestaShop

PrestaShop is self-hosted — apply the fix at the web server level, not within PrestaShop's admin.
For Apache: add `ServerTokens Prod` and `ServerSignature Off` to `httpd.conf` or the `.htaccess` file in the PrestaShop root.
For nginx: add `server_tokens off;` to the nginx server block for your PrestaShop site, then reload nginx.
Verify with `curl -I https://yourstore.com` — `Server` should be absent or show only `Apache` or `nginx` with no version number.

Full PrestaShop guide →Official PrestaShop docs ↗

How to fix info disclosure server on OpenCart

OpenCart is self-hosted — the `Server` header is controlled by the web server, not OpenCart itself.
For Apache hosting: edit `.htaccess` or `httpd.conf` — add `ServerTokens Prod` and `ServerSignature Off`, then restart Apache.
For nginx: add `server_tokens off;` to your nginx config, then reload.
Verify with browser DevTools or `curl -I https://yourstore.com`.

Full OpenCart guide →Official OpenCart docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find info disclosure server — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Info disclosure server?

Why does info disclosure server matter?

How do I fix info disclosure server?