Server general response
Identifies the software the origin server used to handle the request — and a common target for security hardening.
What it does
Server identifies the software the origin server used to handle the request — the web server, application framework, or platform. It's the server-side equivalent of User-Agent (which identifies the client).
Server: nginx/1.24.0
Server: Apache/2.4.57 (Ubuntu)
Server: cloudflare
Server: AmazonS3
Syntax
Server: <product>[/<version>][ <comment>]
Examples:
Server: nginx
Server: nginx/1.24.0
Server: Apache/2.4.57 (Debian) OpenSSL/3.0.9
Server: Microsoft-IIS/10.0
Server: Caddy
Server: openresty/1.25.3.1
Security: why you should hide or obscure it
The Server header is a roadmap for attackers. Knowing your exact server software and version lets an attacker look up known CVEs immediately:
Server: Apache/2.4.49 (Ubuntu)
Apache 2.4.49 has CVE-2021-41773 — a path traversal vulnerability allowing remote code execution. An attacker scanning for this sees your Server header and knows exactly what exploit to try.
Best practice: suppress or genericise the Server header.
nginx
# nginx.conf
server_tokens off;
# Result: Server: nginx (no version)
# Or suppress entirely with headers_more module:
more_clear_headers Server;
Apache
# apache2.conf
ServerTokens Prod
# Result: Server: Apache
# Or suppress:
ServerTokens None
Header unset Server
Laravel (via middleware)
// Remove the header entirely:
header_remove('X-Powered-By');
// Or in nginx: fastcgi_hide_header X-Powered-By;
What attackers do with Server headers
Automated scanning. Tools like Shodan, Nuclei, and vulnerability scanners routinely harvest Server headers and cross-reference against CVE databases. A verbose Server header puts you in automated attack queues within hours of deployment.
Fingerprinting for targeted attacks. Even without a specific CVE, knowing you're running nginx vs IIS vs Caddy tells an attacker which attack techniques and wordlists to use.
Version-based targeting. Server: PHP/7.4.33 is an invitation. PHP 7.4 reached EOL in November 2022. Attackers target EOL software knowing patches have stopped.
When Server is useful
Not all context is bad. Server is genuinely useful for:
Debugging infrastructure. When traffic routes through multiple layers (CDN → load balancer → app server), Server helps identify which layer is responding. CDNs typically override Server with their own value (Server: cloudflare, Server: AmazonS3).
Vendor support. When filing bug reports with hosting providers, Server version information helps diagnose issues.
Internal networks. On private/internal services not exposed to the internet, verbose Server headers are less of a concern and can aid debugging.
Common values you'll see
| Value | Source |
|---|---|
nginx |
nginx web server |
Apache |
Apache HTTP Server |
cloudflare |
Cloudflare CDN/proxy |
AmazonS3 |
AWS S3 static hosting |
AmazonS3 / awselb |
AWS ELB/ALB load balancer |
Microsoft-IIS/10.0 |
IIS on Windows Server |
Caddy |
Caddy web server |
openresty |
nginx + Lua (OpenResty) |
Vercel |
Vercel edge network |
GitHub.com |
GitHub Pages |
gws |
Google Web Server |
Common mistakes and gotchas
Leaving default verbose Server headers in production. New installs of nginx, Apache, and PHP all announce their versions by default. Security hardening should include suppressing this on every server.
Thinking obscurity is security. Removing Server doesn't fix vulnerabilities — it just makes automated targeting slightly harder. You still need to patch software, run firewalls, and follow security best practices. Obscurity is one layer, not a strategy.
Forgetting X-Powered-By. Many frameworks set X-Powered-By: PHP/8.2.0 or X-Powered-By: Express alongside Server. Remove both.
Real-world examples
Default verbose (what you want to avoid in production):
HTTP/1.1 200 OK
Server: Apache/2.4.57 (Ubuntu) mod_ssl/2.4.57 OpenSSL/3.0.9
X-Powered-By: PHP/8.2.0
Hardened production response:
HTTP/1.1 200 OK
Server: nginx
Or simply no Server header at all.
CDN response (CDN overwrites origin's value):
HTTP/1.1 200 OK
Server: cloudflare
CF-Ray: 7a1b2c3d4e5f6a7b-BOM
FAQ
Should I remove Server entirely or just obscure it?
Either is fine from a security standpoint. Removing it entirely is slightly cleaner. Some organisations keep a generic value (Server: nginx without version) so the header is present but non-informative. The important thing is no version numbers.
Does removing Server break anything?
No. Server is purely informational — no browser, proxy, or standard HTTP client requires it. Removing it has zero functional impact.
Can I set a custom Server value?
Yes. Some organisations set custom values as a minor fingerprinting defence: Server: webserver. It conveys nothing useful to an attacker. Avoid values that might confuse debugging tools or operations teams.
Fun fact
The Server header's verbose defaults have been a known security issue since at least the late 1990s, yet most web servers still ship with verbose Server headers enabled by default in 2026 — nearly 30 years later. The reason is a mix of legacy behaviour, the fact that most tutorials don't mention suppressing it, and the implicit assumption that running an unpatched web server is the bigger problem. Both are true, but removing version information from Server takes 30 seconds and is one of the easiest security wins available.