Server

Exposing server software details creates reconnaissance opportunities for attackers. The HTTP Server response header identifies the software running on the origin server handling the request.

Table of Contents

Usage

Servers include the Server header to identify the software and optional version information processing the request. The value follows a product token format similar to the User-Agent request header: one or more product names, each optionally followed by a version and a comment.

The level of detail in Server varies by deployment. Revealing specific software versions creates a security risk. Attackers scan for known vulnerabilities in particular versions of web servers, frameworks, and operating systems. A detailed Server header simplifies this reconnaissance.

Note

Revealing version information in the Server header aids attackers scanning for known vulnerabilities. Production deployments benefit from limiting the value to a generic product name or removing the header entirely.

Common approaches to mitigate this risk include:

  • Returning only the product name without a version (e.g., nginx instead of nginx/1.25.3)
  • Setting a generic or custom value
  • Removing the header entirely through server configuration

Most web servers provide configuration options to control the Server header value. Nginx uses the server_tokens directive. Apache uses ServerTokens and ServerSignature. Reverse proxies and CDNs often override the origin server value with their own identifier.

Directives

product

One or more product tokens identifying the server software. Each token optionally includes a version separated by a forward slash, and a comment in parentheses.

Server: <product>/<version> (<comment>)

Multiple products appear space-separated, listed in order of significance.

Example

A minimal response identifies the server software without exposing a version number. This is the recommended approach for production environments.

Server: nginx

Some servers include version details and operating system information. This format exposes more surface area for version-based scanning.

Server: Apache/2.4.57 (Ubuntu)

CDN and cloud platforms often replace the origin server value with their own product name.

Server: cloudflare

A custom or intentionally vague value obscures the underlying technology stack.

Server: webserver

Configuration

Suppress or minimize the Server header to reduce information leakage in production.

nginx:

server_tokens off;

This reduces the value to nginx without a version number. To remove the header entirely, the headers-more module is required:

more_clear_headers Server;

Apache:

ServerTokens Prod
ServerSignature Off

ServerTokens Prod reduces the value to Apache without version or module details. ServerSignature Off removes server information from error pages.

IIS:

Remove the header through URL Rewrite outbound rules or set removeServerHeader="true" in applicationHost.config (.NET 8+).

See also

Last updated: April 4, 2026