Skip to main content

Server Status Page.

Security Sensitive File Exposure

Apache server-status reveals active connections, request URLs, and client IPs

What does this check test?

Apache's `mod_status` module provides a real-time status page at `/server-status` that displays detailed information about the server's current activity. This includes the number of active worker processes, CPU usage, request throughput, currently processing URLs, client IP addresses, and request methods. Nginx has a similar module (`stub_status`) typically at `/nginx_status` or `/status`. These debug endpoints are intended for server administrators but are sometimes left accessible to the public.

Why does it matter?

An exposed server status page reveals active user sessions (including full request URLs that may contain tokens or sensitive query parameters), internal IP addresses, backend server architecture, and traffic patterns. An attacker can monitor the status page to harvest session tokens from URLs, identify high-value endpoints, understand traffic patterns to time attacks, and map internal infrastructure. In some configurations, `/server-info` is also exposed, revealing the full Apache configuration including loaded modules and directory structures.

Who is affected?

Any organization running Apache with `mod_status` or Nginx with `stub_status` enabled should verify these endpoints are restricted. This is especially common on servers configured by administrators who enabled status monitoring for debugging and forgot to restrict access. Cloud deployments using pre-built AMIs or Docker images may include these modules enabled by default.

Where does this apply?

Check common status page paths: `/server-status`, `/server-info`, `/nginx_status`, `/status`, and `/healthz`. Try appending `?auto` to `/server-status` for the machine-readable format. A response containing Apache status information, worker process details, or Nginx connection counters confirms the exposure.

How to fix it

Restrict access to status pages by IP address. For Apache:
apache 
<Location "/server-status">
    SetHandler server-status
    Require ip 127.0.0.1 10.0.0.0/8
</Location>

# Also restrict server-info if enabled
<Location "/server-info">
    SetHandler server-info
    Require ip 127.0.0.1 10.0.0.0/8
</Location>

Nginx

nginx 
location /nginx_status {
    stub_status;
    allow 127.0.0.1;
    allow 10.0.0.0/8;
    deny all;
}
If you do not need the status page, disable the module entirely. For Apache, comment out `LoadModule status_module` in your configuration. Use a dedicated monitoring solution (Prometheus, Datadog, New Relic) instead of exposing status pages.

References

AppVet checks Server Status Page automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks