0
Back to scan results
Check 4 of 24

Insecure Server Configuration

A grab-bag of misconfigurations that don't fall under any single category but each chip away at your security posture: dangerous HTTP methods, oversharing version banners, directory listings exposed to the internet, and forgotten WebDAV endpoints.

What this check probes

  • TRACE method — sends an OPTIONS and a TRACE request and looks for a 200 response. If TRACE is enabled, an attacker who finds an XSS can read cookies even if they're HttpOnly (a Cross-Site Tracing / XST attack).
  • Server banner — inspects the Server response header. nginx alone is fine; nginx/1.18.0 (Ubuntu) is information leakage that helps an attacker target known CVEs.
  • X-Powered-By — same idea: X-Powered-By: PHP/7.2.10 tells an attacker exactly which CVEs to try.
  • Directory listing — requests known directory paths and looks for "Index of /" markup, which means autoindex is enabled and attackers can browse your filesystem.
  • WebDAV — sends a PROPFIND request. WebDAV endpoints frequently allow file upload, sometimes without authentication, and are a classic web-shell entry point.

Why this matters for PCI DSS

PCI DSS 4.0 Requirement 2.2 mandates that system components are configured securely and that all unnecessary services and functions are removed or disabled. Requirement 2.2.5 specifically calls out that "if any insecure services, protocols, or daemons are present" they must be justified, documented, and have additional security features enabled.

None of the items above have a legitimate business case on a public e-commerce server, which is why removing them is the simplest path to compliance.

How to fix it

Apache — in your main config:

TraceEnable Off
ServerTokens Prod
ServerSignature Off
<Directory /var/www/html>
    Options -Indexes
</Directory>
# Remove WebDAV modules:
sudo a2dismod dav dav_fs dav_lock

nginx — TRACE is not enabled by default. To strip the version from the banner:

http {
    server_tokens off;
    autoindex off;
}

Wrap unsupported methods to return 405:

if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$) {
    return 405;
}

IIS — disable TRACE and remove the Server header:

<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="true">
        <add verb="TRACE" allowed="false" />
        <add verb="OPTIONS" allowed="true" />
      </verbs>
    </requestFiltering>
  </security>
  <security><requestFiltering removeServerHeader="true" /></security>
</system.webServer>

For X-Powered-By in PHP, edit php.ini: expose_php = Off. In ASP.NET, remove the header in web.config via <httpProtocol><customHeaders><remove name="X-Powered-By" />.

Verify with: curl -I -X OPTIONS https://example.com/ and curl -I -X TRACE https://example.com/.

Fixed it? Re-run the scan to confirm.

Run scan again