Defaults.Exposed

Defaults.Exposed › Reports

What Your Server Headers Tell Attackers: The Stack-Disclosure Report (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data from observed HTTP response headers (Server, X-Powered-By). See how we grade.

Most of the web volunteers what it’s running: 71.4% of sites name their web server in the response headers, and 8.1% go further and reveal their application stack — often with the exact version. None of this is required, and every bit of it is a free hint for an attacker deciding what to target. Version disclosure is the worst of it: a header advertising end-of-life software is an invitation.

What the web announces

The Server header names the web server software. As of 2026-06-29, the most common values among the 71.4% of sites that send one:

Server headerShare of sites that send one
cloudflare21.7%
nginx16.0%
apache14.9%
openresty9.2%
squarespace4.9%

The server name alone is low-risk. The real exposure is X-Powered-By, which 8.1% of sites send — and which frequently includes a precise version. The most common values include asp.net and specific PHP builds like php/7.4.33.

Why version disclosure matters

An attacker scanning the internet for a known vulnerability filters by exactly these headers. A site advertising php/7.4.33 — an end-of-life PHP version that no longer gets security patches — is telling every scanner that it may be exploitable, before a single probe. Disclosure doesn’t create the vulnerability, but it removes the attacker’s reconnaissance cost and moves an unpatched site to the top of the list.

The fix is free and has no downside for visitors: suppress or genericise these headers. There’s no functional reason to broadcast your stack version to the public.

How to stop leaking your stack

  1. Remove X-Powered-By entirely — it serves no purpose for visitors. (One directive in PHP/your framework or a header-strip at the proxy.)
  2. Genericise Server — strip the version, or the header, at your web server or CDN.
  3. Keep the stack patched regardless — hiding the version buys time, it doesn’t replace updating.
  4. Re-check to confirm the headers are gone.

Frequently asked questions

What is the X-Powered-By header? A response header that advertises the application framework and often its exact version (e.g. a specific PHP build). It’s optional and provides no benefit to visitors — only to attackers. 8.1% of sites send one.

Is revealing my server software a vulnerability? Not by itself, but it’s information disclosure: it lets attackers filter for known vulnerabilities in your specific stack and version, cutting their reconnaissance to zero. Best practice is to suppress it.

Should I hide the Server header? Genericising it (dropping the version) is good practice. The bigger win is removing X-Powered-By and keeping software patched.

Does this hurt SEO or visitors? No. These headers are invisible to users and irrelevant to search engines. Removing them is purely upside.

Check what your headers reveal

See exactly what your site announces — and what to strip — free and private.

Check your domain → · The HTTP security header report card → · Aggregate data only. Data stored and processed in the EU.