Server
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The Server
header describes the software used by the origin server that handled the request and generated a response.
The benefits of advertising the server type and version via this header are that it helps with analytics and identifying how widespread specific interoperability issues are. Historically, clients have used the server version information to avoid known limitations, such as inconsistent support for range requests in specific software versions.
Warning: The presence of this header in responses, especially when it contains fine-grained implementation details about server software, may make known vulnerabilities easier to detect.
Too much detail in the Server
header is not advised for response latency and the security reason mentioned above.
It's debatable whether obscuring the information in this header provides much benefit because fingerprinting server software is possible via other means.
In general, a more robust approach to server security is to ensure software is regularly updated or patched against known vulnerabilities instead.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
Server: <product>
Directives
<product>
-
A name of the software or the product that handled the request. Usually in a format similar to
User-Agent
.
Examples
Server: Apache/2.4.1 (Unix)
Specifications
Specification |
---|
HTTP Semantics # field.server |
Browser compatibility
BCD tables only load in the browser
See also
Allow
- HTTP Observatory
- Prevent information disclosure via HTTP headers - OWASP Secure Headers Project