The Server response header is used primarily for information purposes, allowing the Client to understand what software is used by the Origin Server. Furthermore, the IETF states that "[the header] is often used by clients to help identify the scope of reported interoperability problems, to work around or tailor requests to avoid particular server limitations, and for analytics regarding server or operating system use". See the Security section for more information on why this header should be disabled if possible.
| protocol | HTTP Header |
| type | Response Header |
| Mozilla link | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server |
| RFC | RFC7231 |
The Server header is generally produced by the Origin Server software and does not require any special attention. See Security for more information.
Server = product *( RWS ( product / comment ) )
It is intended that the Server header convey information about the Origin Server's software. It is also common for Server headers to contain additional information about the type of OS running the software, build version information and, as is normally the case with Apache, some information about the core modules that have been included in the build. See the second example, below.
The Server header is not directly related or dependant on any other header.
Example Server headers commonly found on the internet.
Server: cloudflare
Server: Apache/2.4.23 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Server: HP CSWS v8.3
Server: nginx
server: GSE
Server: Apache-Coyote/1.1
As a rule, it is good policy to add "security through obscurity" to your list of security measures whenever possible and the inclusion of this header is not ideal. If you have control over your own server software it is advisable to remove or change your Server header if possible. You might want to consider changing or removing the Server header for some popular Web Servers.
Add the following configuration to the appropriate part of your Apache Server's httpd.conf* file.
<IfModule mod_headers.c>
Header unset Server
</IfModule>
ServerSignature Off
ServerTokens Prod
* This assumes you are using Apache 2.4 or later with mod_headers installed.
Depending on your Nginx build, you may not be able to disable the Server header. At a minimum you can set server_tokens off; in a http, server, location or location if context (most likely in /etc/nginx/nginx.conf) which will ensure that the OS and build version of your server is not available. If you have the headers_more module enabled then it is possible to remove the Server header completely by adding more_clear_headers Server; to one of the aforementioned contexts.
Removing the Server header from all Origin Server responses on any given backend can be achieved by adding http-response del-header Server to the backend configuration. This option has a few benefits, most notably that it reduces the need to change configuration on multiple Origin Servers behind HAProxy. Also see our post on rewriting Origin Server headers for servers you do not administer.