Should i hide authentik server versio info

[Samppady]

Hello,

The question is whether I should hide the version information of the authentik server. I am using nginx (reverse proxy), and I log in to the authentik server at example: auth.domain.com.

Is there a risk if I don’t hide the authentik server version information, or would hiding the following cause any issues?
Of course, the less information attackers have about the versions, the better. How should I approach this issue?

I am using an nginx server, and login occurs on the authentik server at auth.domain.com. I am considering whether I should hide the version information of the authentik server from external parties.

Is there a security risk if I don’t hide this information?
If I hide the version numbers, could any potential changes cause issues?

I know that it’s generally better to provide as little information about the system to attackers as possible. How should I approach this issue?

I am thinking of adding the following to the auth.domain.com address:

proxy_hide_header X-Powered-By;
proxy_hide_header X-Authentik-Version;
proxy_hide_header X-Authentik-Meta-Version;
proxy_hide_header Server;

Or is there a better way to implement this?

Best regards,
Samppady

[BeryJu]

X-Authentik-Meta-Version is only sent to forward authentication backend servers, not to the end user, so there's no worry in keeping that header
X-Authentik-Version is used as part of the cache to make any reverse proxy clear the cache if the version changes, but this also happens based on ETag headers so you can hide that

[jon4hz]

I noticed that authentik also writes the server version to the browser console:

authentik(early): version 2025.4.0, apiBase https://authentik.example.com/api/v3

I think it would be nice to have an option to disable this.
Leaking the server version like this makes it very easy to check which vulnerabilities an authentik instance has.