Server
Description
The Server response header contains information about the software used by the origin server to handle the request. This header typically identifies the web server software (e.g., Apache, Nginx, IIS) and may include additional details such as version numbers, operating system information, or enabled modules.
The primary purpose of the Server header is to provide basic identification of the server software, which can be helpful for troubleshooting, statistics gathering, and compatibility assessments. However, from a security perspective, detailed server information can potentially help attackers identify vulnerabilities in specific server versions, so many security-conscious organizations choose to limit the information provided in this header.
It's worth noting that the Server header reflects the software running on the origin server, not on any intermediary proxies or CDNs that might be involved in handling the request.
Syntax
The syntax of the Server header follows this structure:
<product>: The name of a software product.<version>: Optional version information for the product.<comment>: Optional additional information about the product.- Multiple products can be listed, separated by spaces.
Example Syntax
This example indicates that the server is running Apache version 2.4.52 on an Ubuntu operating system.
This simplified example just identifies the server as Nginx without providing version details.
Examples
Basic Web Server Example
A response from an Apache server:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 18:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1234
Server: Apache/2.4.58 (Unix) OpenSSL/1.1.1q
<!DOCTYPE html>
<html>
<head><title>Example Page</title></head>
<body><p>Hello, World!</p></body>
</html>
Simplified Server Header Example
A response with a simplified Server header for security reasons:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 18:10:30 GMT
Content-Type: application/json
Content-Length: 42
Server: nginx
{"status": "success", "message": "Hello"}
In this example, the server only identifies itself as Nginx without revealing the specific version.
Complex Server Stack Example
A response showing multiple components in the server stack:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 18:20:45 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2345
Server: Apache/2.4.58 (Ubuntu) PHP/8.3.2 mod_ssl/2.4.58 OpenSSL/3.0.8
<!DOCTYPE html>
<html>
<head><title>PHP Application</title></head>
<body>
<h1>Welcome to our application</h1>
<p>Server time: 18:20:45</p>
</body>
</html>
This example provides detailed information about the server stack, including Apache version, PHP version, and SSL components.
Custom Server Identification
A response with a custom Server header:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 18:30:15 GMT
Content-Type: application/json
Content-Length: 67
Server: RequestBite API Server
{"version": "1.0", "environment": "production", "region": "eu-west"}
In this example, the server identifies itself with a custom name rather than revealing the underlying web server software.
Summary
The Server response header provides identification information about the software used by the origin server. While this information can be helpful for debugging, statistics, and compatibility purposes, it also presents a potential security consideration as detailed version information might help attackers identify vulnerabilities. For this reason, many organizations configure their servers to provide minimal information in this header. When designing web applications, particularly those with strict security requirements, consider limiting the information exposed through the Server header to reduce the potential attack surface.