Technology Fingerprinting

What is Technology Fingerprinting?

WhatWeb identifies web technologies including content management systems, JavaScript libraries, web servers, and frameworks. While this information is often benign, it helps attackers target known vulnerabilities in specific software versions.

Security Impact

Severity: Medium

• Targeted attacks using known CVEs for detected versions
• Framework-specific exploitation techniques
• Reduced attacker effort through version-specific attack paths
• Supply chain attack identification

How to Fix

1. Remove Laravel/PHP Version Headers

// app/Http/Middleware/SecurityHeaders.php
public function handle($request, Closure $next)
{
    $response = $next($request);

    // Remove identifying headers
    $response->headers->remove('X-Powered-By');
    $response->headers->set('Server', 'webserver');

    return $response;
}

; php.ini - disable PHP version header
expose_php = Off

2. Hide Web Server Version

# Nginx
server_tokens off;
more_clear_headers 'Server';

# Apache
ServerTokens Prod
ServerSignature Off

3. Remove Framework Meta Tags

Check your Blade templates for framework-identifying meta tags:

<!-- Remove any generator meta tags -->
<!-- <meta name="generator" content="Laravel"> -->

4. Customize Error Pages

Default error pages often reveal the framework. Use custom error views:

// resources/views/errors/404.blade.php
// resources/views/errors/500.blade.php
// Create custom error pages that don't reveal Laravel

5. Remove Unnecessary Response Headers

// In your middleware
$response->headers->remove('X-Powered-By');
$response->headers->remove('x-turbo-charged-by');

6. Disable Debug Mode in Production

APP_DEBUG=false
APP_ENV=production

Verification

After applying these changes, WhatWeb should detect fewer technologies and no specific version numbers. Some detection is unavoidable (e.g., CSS framework patterns), but server-side information should be minimal.

Related Issues

• Security Headers
• Nikto Web Server Scan
• Laravel Debug Mode