The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.
Avoid overly-detailed Server values, as they can reveal information that might make it (slightly) easier for attackers to exploit known security holes.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Syntax
Server: <product>
Directives
<product>-
The name of the software or product that handled the request. Usually in a format similar to
User-Agent.
How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers work around a bug those versions had with Content-Encoding combined with Range.
Examples
Server: Apache/2.4.1 (Unix)
Specifications
| Specification | Title |
|---|---|
| RFC 7231, section 7.4.2: Server | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Server | Chrome Full support Yes | Edge Full support 12 | Firefox Full support Yes | IE Full support Yes | Opera Full support Yes | Safari Full support Yes | WebView Android Full support Yes | Chrome Android Full support Yes | Firefox Android Full support Yes | Opera Android Full support Yes | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
Legend
- Full support
- Full support