diff --git a/Dockerfile b/Dockerfile
index 76f9df4..ad7d0c3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -75,7 +75,9 @@ RUN apt-get update \
     && rm /etc/nginx/sites-enabled/default \
     && apt-get purge -y --auto-remove $PASSBOLT_DEV_PACKAGES \
     && rm -rf /var/lib/apt/lists/* \
-    && rm /usr/local/bin/composer
+    && rm /usr/local/bin/composer \
+    && echo 'php_flag[expose_php] = off' > /usr/local/etc/php-fpm.d/expose.conf \
+    && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf
 
 COPY conf/passbolt.conf /etc/nginx/conf.d/default.conf
 COPY conf/supervisord.conf /etc/supervisor/supervisord.conf
diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb
index 175a2f1..59272c6 100644
--- a/spec/docker_image/image_spec.rb
+++ b/spec/docker_image/image_spec.rb
@@ -17,6 +17,7 @@ describe 'Dockerfile' do
   end
 
   let(:nginx_conf)      { '/etc/nginx/nginx.conf' }
+  let(:php_conf)        { '/usr/local/etc/php-fpm.d/expose.conf' }
   let(:site_conf)       { '/etc/nginx/conf.d/default.conf' }
   let(:passbolt_home)   { '/var/www/passbolt' }
   let(:passbolt_tmp)    { '/var/www/passbolt/tmp' }
@@ -71,6 +72,16 @@ describe 'Dockerfile' do
     end
   end
 
+  describe 'php config' do
+    it 'exists' do
+      expect(file(php_conf)).to exist
+    end
+
+    it 'does not expose php version' do
+      expect(file(php_conf).content).to match(/^php_flag\[expose_php\]\s+=\s+off$/)
+    end
+  end
+
   describe 'nginx configuration' do
     it 'is installed correctly' do
       expect(file(nginx_conf)).to exist
@@ -93,6 +104,10 @@ describe 'Dockerfile' do
     it 'points to the correct root folder' do
       expect(file(site_conf).content).to match 'root /var/www/passbolt/webroot'
     end
+
+    it 'has server tokens off' do
+      expect(file(nginx_conf).content).to match(/^\s+server_tokens off;/)
+    end
   end
 
   describe 'ports exposed' do
diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb
index 2b6d10a..f0cbc77 100644
--- a/spec/docker_runtime/runtime_spec.rb
+++ b/spec/docker_runtime/runtime_spec.rb
@@ -49,7 +49,6 @@ describe 'passbolt_api service' do
   let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
   let(:uri)               { "/healthcheck/status.json" }
   let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/#{uri}" }
-  let(:conf_app)          { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/conf/app.php" }
 
   describe 'php service' do
     it 'is running supervised' do
@@ -114,4 +113,15 @@ describe 'passbolt_api service' do
     end
   end
 
+  describe 'hide information' do
+    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}/" }
+    it 'hides php version' do
+      expect(command("#{curl} | grep 'X-Powered-By: PHP'").stdout).to be_empty
+    end
+
+    it 'hides nginx version' do
+      expect(command("#{curl} | grep 'Server:'").stdout).to match /^Server: nginx$/
+    end
+  end
+
 end