I’m running a Magento 2.4.7-p1 store in production mode on an Ubuntu + Apache setup (hosted via Cloudways).
During a recent security audit, a vulnerability was flagged under “Improper Error Handling / Information Disclosure.”
The issue is that even when Magento is in production mode, the HTTP response contains sensitive server details such as the web server version and module identifiers.
Here’s an example response snippet from a 404 (and similar behavior for 403):
HTTP/1.1 404 Not Found
Date: Wed, 05 Nov 2025 05:11:59 GMT
Server: Apache/2.4.58 (Ubuntu) ===> This should not be visible
Pragma: no-cache
Expires: Tue, 05 Nov 2024 05:11:59 GMT
fastly-page-cacheable: YES
Cache-Control: max-age=0, must-revalidate, no-cache, no-store
x-esi: 1
Fastly-Module-Enabled: 1.2.199
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
This leaks:
1.The server type and version (Apache/2.4.58 (Ubuntu))
2.Modules in use (e.g., Fastly-Module-Enabled)
3.Other headers that give attackers insight into my stack.
What I’ve Tried
Verified Magento is running in Production Mode using:
php bin/magento deploy:mode:show
Verified display_errors and display_startup_errors are set to Off in php.ini.
Questions:
- Is there a Magento or Apache configuration that controls these headers (Server, X-ESI, Fastly-Module-Enabled, etc.)?
- Can this information be suppressed without breaking Magento’s caching or Fastly integration?
- Is there a Magento security patch or recommended practice to mitigate server information disclosure in HTTP responses?
Goal:
Prevent server information disclosure in HTTP response headers and ensure Magento production deployment does not leak internal server or module info (to comply with OWASP A5 – Security Misconfiguration and Information Disclosure).