Why does Nikto Web Server Scan matter for Laravel security?

Failing to address nikto web server scan can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Nikto Web Server Scan issue?

This is rated as an medium fix, typically taking 30 minutes. See the full documentation above for step-by-step instructions.

How to Fix Nikto Web Server Scan Findings in Laravel

What This Check Detects

Scans web servers for dangerous files, outdated software, and misconfigurations using Nikto. Requires domain verification.

Full Documentation

What is a Nikto Web Server Scan?

Nikto is an open-source web server scanner that tests for dangerous files, outdated server software, and server configuration issues. It performs comprehensive tests against web servers for multiple items including over 6,700 potentially dangerous files and programs.

Security Impact

Severity: High

Exposed server version information
Outdated software with known vulnerabilities
Dangerous default files accessible publicly
Server misconfigurations that leak sensitive data
Missing security headers

Common Findings & Fixes

1. Server Version Disclosure

Nikto often detects exposed server version headers, which help attackers identify known vulnerabilities.

# Nginx - hide version
server_tokens off;

# Apache - hide version
ServerTokens Prod
ServerSignature Off

2. Dangerous Default Files

Remove or restrict access to default installation files:

# Block access to sensitive files
location ~ /\.(env|git|htaccess|htpasswd) {
    deny all;
    return 404;
}

location ~ /(composer\.(json|lock)|package\.json|webpack\.mix\.js) {
    deny all;
    return 404;
}

3. Directory Listing Enabled

# Nginx - disable directory listing
autoindex off;

# Apache - disable directory listing
Options -Indexes

4. Missing Security Headers

Add essential security headers in your Laravel middleware or web server config:

// app/Http/Middleware/SecurityHeaders.php
public function handle($request, Closure $next)
{
    $response = $next($request);

    $response->headers->set('X-Content-Type-Options', 'nosniff');
    $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
    $response->headers->set('X-XSS-Protection', '1; mode=block');
    $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
    $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

    return $response;
}

5. Outdated Software

Keep your web server and PHP version up to date:

# Update Nginx
sudo apt update && sudo apt upgrade nginx

# Update PHP
sudo apt update && sudo apt upgrade php8.3-fpm

Verification

After applying fixes, run a Nikto scan to confirm the issues are resolved. The scan should report fewer findings and no critical vulnerabilities.

Related Issues

Security Headers
Directory & File Exposure
Web Application Vulnerability Scan