StackShield

Nikto Web Server Scan

Medium

Scans web servers for dangerous files, outdated software, and misconfigurations using Nikto. Requires domain verification.

Estimated fix time: 30 minutes

What is a Nikto Web Server Scan?

Nikto is an open-source web server scanner that tests for dangerous files, outdated server software, and server configuration issues. It performs comprehensive tests against web servers for multiple items including over 6,700 potentially dangerous files and programs.

Security Impact

Severity: High

  • Exposed server version information
  • Outdated software with known vulnerabilities
  • Dangerous default files accessible publicly
  • Server misconfigurations that leak sensitive data
  • Missing security headers

Common Findings & Fixes

1. Server Version Disclosure

Nikto often detects exposed server version headers, which help attackers identify known vulnerabilities.

# Nginx - hide version
server_tokens off;

# Apache - hide version
ServerTokens Prod
ServerSignature Off

2. Dangerous Default Files

Remove or restrict access to default installation files:

# Block access to sensitive files
location ~ /\.(env|git|htaccess|htpasswd) {
    deny all;
    return 404;
}

location ~ /(composer\.(json|lock)|package\.json|webpack\.mix\.js) {
    deny all;
    return 404;
}

3. Directory Listing Enabled

# Nginx - disable directory listing
autoindex off;

# Apache - disable directory listing
Options -Indexes

4. Missing Security Headers

Add essential security headers in your Laravel middleware or web server config:

// app/Http/Middleware/SecurityHeaders.php
public function handle($request, Closure $next)
{
    $response = $next($request);

    $response->headers->set('X-Content-Type-Options', 'nosniff');
    $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
    $response->headers->set('X-XSS-Protection', '1; mode=block');
    $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
    $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

    return $response;
}

5. Outdated Software

Keep your web server and PHP version up to date:

# Update Nginx
sudo apt update && sudo apt upgrade nginx

# Update PHP
sudo apt update && sudo apt upgrade php8.3-fpm

Verification

After applying fixes, run a Nikto scan to confirm the issues are resolved. The scan should report fewer findings and no critical vulnerabilities.

  • Security Headers
  • Directory & File Exposure
  • Web Application Vulnerability Scan

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Security Headers

Detects missing headers (CSP, HSTS, X-Frame-Options).

Easy

Directory & File Exposure

Scans for publicly accessible sensitive files (logs, .git).

Easy

Web Application Vulnerability Scan

Scans web applications for XSS, XXE, SSRF, and other OWASP vulnerabilities using Wapiti. Requires do...

Hard