SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Infrastructure

Technology Fingerprint

Technology fingerprinting is the process of identifying what software powers a website — web server, CMS, frameworks, libraries, and their versions. This information, often leaked in HTTP headers, HTML comments, and JavaScript files, gives attackers a map of exactly which CVEs to try.

What SecurityStatus Checks

  • Server header (reveals web server type and version)
  • X-Powered-By header (reveals PHP version, ASP.NET version, etc.)
  • Generator meta tags (reveals CMS and version)
  • JavaScript library version numbers in source or file names
  • Cookies with framework-specific names (PHPSESSID, ASP.NET_SessionId)

Why This Matters

Knowing you run WordPress 6.2.1 with a specific vulnerable plugin version tells an attacker exactly which exploit to use. Server headers like `Apache/2.4.50` are a direct reference to CVE lookups. Reducing fingerprinting information does not fix vulnerabilities but removes the free intelligence attackers use to prioritise targets.

How to Fix It

  1. 1

    Remove the Server header or make it generic

    For nginx: `server_tokens off` removes the version. For Apache: `ServerTokens Prod` shows only 'Apache'. For Cloudflare users: the Server header is already replaced with 'cloudflare'.

  2. 2

    Remove X-Powered-By

    For PHP: add `expose_php = Off` to php.ini. For Express.js: `app.disable('x-powered-by')` or use the helmet middleware. For ASP.NET: in web.config, remove X-Powered-By in the customHeaders section.

  3. 3

    Remove CMS generator tags

    For WordPress: remove the generator tag by adding `remove_action('wp_head', 'wp_generator')` to functions.php. For other CMSs, check your theme settings or security plugins.

  4. 4

    Version your assets with hashes not version numbers

    Instead of jquery-3.7.1.min.js, use build-tool-generated hashes like jquery.a3f2c1.min.js. This prevents version identification via JavaScript file names.

Frequently Asked Questions

Does hiding version numbers actually help?
Yes, marginally. It raises the cost of targeted attacks — the attacker must do more work to identify which CVEs apply. It does not stop determined attackers but does reduce automated scanning success.
If I use Cloudflare, does my real server fingerprint leak?
Cloudflare hides your origin server headers and replaces them with its own. However, some information may leak through page source, JavaScript, or non-standard headers. Always also remove generator tags and X-Powered-By at the application level.
Is fingerprinting the same as a vulnerability?
No. Fingerprinting itself is informational — it reveals information that helps find vulnerabilities. The actual vulnerability is the unpatched software. SecurityStatus reports fingerprinting as high severity because it directly enables targeted attacks.

Related Guides

critical CVE Detection Read Guide critical Security Headers Read Guide medium WAF Detection Read Guide

Check Your Domain Now

Run all 38 security checks including Technology Fingerprint and get your domain's security grade in under 2 minutes.

Scan Your Domain Free