Server
Usage
Servers include the Server header to identify the software and optional version information processing the request. The value follows a product token format similar to the User-Agent request header: one or more product names, each optionally followed by a version and a comment.
The level of detail in Server varies by deployment. Revealing specific software versions creates a security risk. Attackers scan for known vulnerabilities in particular versions of web servers, frameworks, and operating systems. A detailed Server header simplifies this reconnaissance.
Common approaches to mitigate this risk include:
Most web servers provide configuration options to control the Server header value. Nginx uses the server_tokens directive. Apache uses ServerTokens and ServerSignature. Reverse proxies and CDNs often override the origin server value with their own identifier.
product
One or more product tokens identifying the server software. Each token optionally includes a version separated by a forward slash, and a comment in parentheses.
Server: <product>/<version> (<comment>)
Multiple products appear space-separated, listed in order of significance.
Example
A minimal response identifies the server software without exposing a version number. This is the recommended approach for production environments.
Server: nginx
Some servers include version details and operating system information. This format exposes more surface area for version-based scanning.
Server: Apache/2.4.57 (Ubuntu)
CDN and cloud platforms often replace the origin server value with their own product name.
Server: cloudflare
A custom or intentionally vague value obscures the underlying technology stack.
Server: webserver
Configuration
Suppress or minimize the Server header to reduce information leakage in production.
nginx:
server_tokens off;
This reduces the value to nginx without a version number. To remove the header entirely, the headers-more module is required:
more_clear_headers Server;
Apache:
ServerTokens Prod
ServerSignature Off
ServerTokens Prod reduces the value to Apache without version or module details. ServerSignature Off removes server information from error pages.
IIS:
Remove the header through URL Rewrite outbound rules or set removeServerHeader=“true” in applicationHost.config (.NET 8+).