How to remove the http header "Server: cloudflare"?

Following to a vulnerability assessment of our application, we must remove the HTTP Request “Server: cloudflare” becuase it has been classified as insecure.
The “cloudflare” name was on the “Report-to” tag but we were able to remove it thanks to a transformation rule.
The removing of the “Server” header is not accepted in the rules.

Has someone found the way to remove it?
Screenshot 2024-03-23 103556

Purchase an Enterprise plan requesting that specific capability be included. Should be in the $25k per month or so range to unlock that feature.

Whoever performed the vulnerability assessment should likely not be retained for future efforts.

2 Likes

Sorry that sounded harsh… a dedicated attacker will determine your website is behind Cloudflare in 8.6 seconds or less using standard tools even of the header is removed. If that constitutes a significant security issue, you have far larger issues. That Cloudflare provides security for your website is not a security issue, it is a feature.

Ask the provider of your analysis to provide an impact statement… How can knowledge that you use Cloudflare be exploited. And how an ASN lookup can’t provide the same information after you pay $250k a year to remove the header.

3 Likes

Could you explain the specific reason? Server headers usually do not pose a security issue. Even if the Server header is removed or replaced with other content, visitors can still confirm that you are using Cloudflare. This is because when you use Cloudflare services, the domain name will be DNS resolved to Cloudflare’s IP, and the ownership of the IP is easy to query.”

Please note that this response has been partially machine-translated and may contain inaccuracies. Thank you for your understanding.

I’m afraid the answer is “no.”

Even if you could get rid of that header, there are plenty more signs it’s Cloudflare…like other headers and the IP address.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.