How do I fix info disclosure server on Shopify?

Shopify's infrastructure automatically manages all HTTP response headers at its edge network — store owners cannot access the underlying web server config. The `Server` header emitted by Shopify's own CDN (e.g., `server: shopify`) does not expose exploitable version strings; this is handled by Shopify and is outside merchant control. If you are using a custom domain proxied through Cloudflare: log in to Cloudflare → select your domain → Rules → Transform Rules → Modify Response Header → Create a rule to REMOVE the `Server` header. Set 'When incoming requests match… all requests' and 'Then… Remove → Header name: server'. Save and deploy. Verify by opening DevTools → Network → reload any page → inspect response headers for the absence or sanitization of `Server`.

How to fix info disclosure server on Shopify

Remove or obscure the Server HTTP response header so your web server software name and version are no longer exposed to the public internet.

Steps for Shopify

Shopify's infrastructure automatically manages all HTTP response headers at its edge network — store owners cannot access the underlying web server config.
The `Server` header emitted by Shopify's own CDN (e.g., `server: shopify`) does not expose exploitable version strings; this is handled by Shopify and is outside merchant control.
If you are using a custom domain proxied through Cloudflare: log in to Cloudflare → select your domain → Rules → Transform Rules → Modify Response Header → Create a rule to REMOVE the `Server` header. Set 'When incoming requests match… all requests' and 'Then… Remove → Header name: server'. Save and deploy.
Verify by opening DevTools → Network → reload any page → inspect response headers for the absence or sanitization of `Server`.

Official Shopify documentation ↗

## Apache (.htaccess or httpd.conf)
ServerTokens Prod
ServerSignature Off
Header unset Server

## nginx (nginx.conf — inside http{} or server{} block)
server_tokens off;

## IIS (web.config — inside <system.webServer>)
<security>
  <requestFiltering removeServerHeader="true" />
</security>

## Cloudflare Transform Rule (via dashboard UI)
# Rules → Transform Rules → Modify Response Header
# Operation: Remove
# Header name: server

What is info disclosure server?

Every time a browser (or a hacker's scanner) requests a page from your store, your web server sends back a response that often includes a `Server` header — a small piece of text that announces exactly what software is running, right down to the version number (e.g., `Microsoft-IIS/10.0`, `Apache/2.4.51`, or `nginx/1.18.0`). This is called information disclosure. Removing or blanking that header is a simple configuration change that stops your store from broadcasting its technology stack to anyone who looks.

Attackers routinely scan millions of sites looking for specific server versions with known security vulnerabilities — your `Server` header is a free map that tells them exactly which exploits to try. Exposing it significantly lowers the effort required to target your store, putting customer data, payment information, and your reputation at risk. OWASP lists this pattern under A05:2021 Security Misconfiguration, one of the most common causes of real-world breaches. Removing the header doesn't fix every vulnerability, but it removes the signpost that guides attackers to them, and it is expected by PCI DSS compliance auditors.

See the complete Info disclosure server guide for every platform and the full background.

Not sure if your Shopify store has this?

Run a free SEOLZ audit — we’ll find info disclosure server and every other issue across your whole site.

Scan my site free

How to fix info disclosure server on Shopify

Steps for Shopify

What is info disclosure server?

Not sure if your Shopify store has this?

Fix info disclosure server on another platform