Following to a vulnerability assessment of our application, we must remove the HTTP Request “Server: cloudflare” becuase it has been classified as insecure.
The “cloudflare” name was on the “Report-to” tag but we were able to remove it thanks to a transformation rule.
The removing of the “Server” header is not accepted in the rules.
Sorry that sounded harsh… a dedicated attacker will determine your website is behind Cloudflare in 8.6 seconds or less using standard tools even of the header is removed. If that constitutes a significant security issue, you have far larger issues. That Cloudflare provides security for your website is not a security issue, it is a feature.
Ask the provider of your analysis to provide an impact statement… How can knowledge that you use Cloudflare be exploited. And how an ASN lookup can’t provide the same information after you pay $250k a year to remove the header.
Could you explain the specific reason? Server headers usually do not pose a security issue. Even if the Server header is removed or replaced with other content, visitors can still confirm that you are using Cloudflare. This is because when you use Cloudflare services, the domain name will be DNS resolved to Cloudflare’s IP, and the ownership of the IP is easy to query.”
Please note that this response has been partially machine-translated and may contain inaccuracies. Thank you for your understanding.