Apache Version Information Disclosure

[l4rm4nd]

The demo site discloses the detailed Apache webserver version in the "Server:" HTTP response header.

This detailed information may be used by attackers to identify outdated software versions that are susceptible to publicly known vulnerabilities. The disclosed Apache version for the demo site is "Apache 2.4.29", which was released on October 2017 and is kinda outdated.

I assume the Docker image is also affected by this version disclosure.

The version disclosure can be deactivated using .htaccess, for example with the following line:

 # Disable server signature
 ServerSignature Off