Skip to main content

Software Component Leak


The web/application server is leaking tech stack information.

Access to such information may facilitate attackers identifying vulnerabilities to exploit.


Filter out the data that is being returned from the server.

GraphQL Specific


Configure the Apollo server to disable the inclusion of stack trace information in error messages sent to clients. Ensure that the 'debug' option is set to 'false' in production environments to prevent leaking detailed server implementation details.


Configure the Yoga framework server to suppress version and technology stack details in HTTP response headers and error messages to prevent information leakage that could aid attackers in exploiting known vulnerabilities.


Configure AWS AppSync resolvers to prevent information leakage by ensuring error messages are generic and do not expose stack details or sensitive information. Utilize AWS AppSync settings to control and mask error responses.


Configure the GraphQLGo server to suppress detailed error messages and stack traces in production environments. Implement middleware or custom error handling that returns generic error messages to the client, thus preventing the leakage of sensitive information about the underlying technology stack.


In the GraphQLRuby framework, ensure that the server configuration is set to minimize information leakage by disabling verbose error messages and introspection in production environments. Use the debug: false option in the GraphQL schema definition and restrict access to introspection queries to authorized personnel only.


Configure the Hasura GraphQL engine to prevent exposing server version information by setting the 'HASURA_GRAPHQL_HIDE_SERVER_HEADER' environment variable to 'true'. Additionally, review and adjust the 'HASURA_GRAPHQL_DEV_MODE' setting to ensure that detailed error messages are not sent to the client in production environments.

REST Specific


Configure the ASP.NET framework to suppress detailed error messages and headers that reveal server or framework versions. Use custom error pages and set the 'customErrors' mode to 'On' or 'RemoteOnly' in the web.config file. Additionally, ensure that the 'httpRuntime' element's 'enableVersionHeader' attribute is set to 'false' to prevent the ASP.NET version from being included in HTTP responses.


In the Ruby on Rails framework, configure the environment files to suppress detailed error messages and stack traces in production. Use 'config.consider_all_requests_local = false' and 'config.action_dispatch.show_exceptions = true' to prevent leaking tech stack information to users. Additionally, ensure that 'config/environments/production.rb' has 'config.log_level = :info' to limit logging verbosity.


Configure the Next.js application to disable the 'x-powered-by' header by setting the 'poweredByHeader' option to false in the 'next.config.js' file. Additionally, ensure that error pages do not disclose stack traces or other sensitive information to the client by customizing the error handling logic.


In the Laravel framework, ensure that the 'APP_DEBUG' setting in the '.env' file is set to 'false' in the production environment to prevent the server from leaking stack trace information. Additionally, configure the 'ExceptionHandler' to handle errors without revealing sensitive information, and use middleware to suppress or customize server headers that disclose technology stack details.


Configure the Express.js application to suppress server version information by setting the 'x-powered-by' header to false using the line 'app.disable('x-powered-by');' in the application setup code.


Configure the Django settings to disable the 'X-Powered-By' header and set 'DEBUG' to False in production to prevent leakage of technical stack information.


In the Symfony framework, to prevent the web/application server from leaking tech stack information, configure the 'expose_php' and 'server_tokens' directives in the 'php.ini' and web server configuration files respectively to 'Off'. Additionally, ensure that the 'prod' environment is used for production, as it does not display error messages or stack traces to the end user. Review and adjust the 'security.yaml' configuration to restrict error output and use the 'WebProfilerBundle' only in the 'dev' environment.


In the Spring Boot application, configure the or application.yml file to disable the exposure of version information. Set '' to false and '' to false if using an older version of Spring Boot. Additionally, customize error handling to prevent stack traces from being sent to clients and review the server's HTTP response headers to remove or obscure any technology stack information.


Configure the Flask application to suppress server banners and error messages that reveal stack information. Use the 'Flask-Talisman' extension to set security headers and the 'WERKZEUG_DEBUG_PIN' environment variable to 'off' to prevent debug pin exposure. Additionally, ensure that 'DEBUG' mode is set to 'False' in the production environment.


Configure the Nuxt.js application to suppress server version headers and error messages that reveal stack details. Utilize the 'render' configuration to remove specific headers and customize error pages to prevent information leakage.


Configure FastAPI to suppress server banners and error messages that reveal stack details. Use middleware to intercept responses and remove headers like 'server' and 'x-powered-by', and customize error handlers to prevent leaking stack information in error responses.


Identifier: information_disclosure/software_component_leak


Ignore this check

skip: true


  • Escape Severity: LOW


  • OWASP: API8:2023
  • pci: 6.5.3
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-6



  • CVSS_SCORE: 5.3