Do not disclose server versions in error messages
The version of Apache (Debian) server is disclosed in when attempting to browse to a WordPress endpoint as an unauthenticated user on our web application.
The message reads:
Forbidden
You don't have permission to access this resource.
Apache/2.4.63 (Debian) Server at [domain] Port 80
An attacker could use the information provided to attempt to identify vulnerabilities with the application.
We recommend you prevent the server version from being disclosed in error messages.
3
votes
Mike Curry
shared this idea