Server
The HTTP Server response header identifies the software running on the origin server handling the request.
Usage
Servers include the Server header to identify the software and optional version information processing the request. The value follows a product token format similar to the User-Agent request header: one or more product names, each optionally followed by a version and a comment.
The level of detail in Server varies by deployment. Revealing specific software versions creates a security risk. Attackers scan for known vulnerabilities in particular versions of web servers, frameworks, and operating systems. A detailed Server header simplifies this reconnaissance.
Note
Revealing version information in the Server header aids attackers scanning for known vulnerabilities. Production deployments benefit from limiting the value to a generic product name or removing the header entirely.
Common approaches to mitigate this risk include:
- Returning only the product name without a version
(e.g.,
nginxinstead ofnginx/1.25.3) - Setting a generic or custom value
- Removing the header entirely through server configuration
Most web servers provide configuration options to control
the Server header value. Nginx uses the
server_tokens directive. Apache uses ServerTokens and
ServerSignature. Reverse proxies and CDNs often override
the origin server value with their own identifier.
Directives
product
One or more product tokens identifying the server software. Each token optionally includes a version separated by a forward slash, and a comment in parentheses.
Server: <product>/<version> (<comment>)
Multiple products appear space-separated, listed in order of significance.
Example
A minimal response identifies the server software without exposing a version number. This is the recommended approach for production environments.
Server: nginx
Some servers include version details and operating system information. This format exposes more surface area for version-based scanning.
Server: Apache/2.4.57 (Ubuntu)
CDN and cloud platforms often replace the origin server value with their own product name.
Server: cloudflare
A custom or intentionally vague value obscures the underlying technology stack.
Server: webserver
Takeaway
The Server header identifies the software on the origin server. Production deployments benefit from limiting the detail in this header to reduce exposure to version-specific vulnerability scans.