Server-Timing header exposes backend timing data

The Server-Timing header is an optional HTTP header that your server sends alongside page responses. It contains details about how long different internal operations took — such as database queries, cache lookups, or routing steps. This header is currently visible to anyone who inspects your site's network traffic. While useful for developers debugging performance, this information also tells attackers about your internal architecture — which systems you use, whether caching is in place, and where processing bottlenecks exist. This can help them craft more targeted attacks. Remove or restrict the Server-Timing header in production. If you need it for internal debugging, configure your server or CDN to strip it from responses to external visitors while keeping it visible on staging environments or to authenticated developer traffic only.