The Server
header describes the software used by the origin server that handled the request — that is, the server that generated the response.
Avoid overly-detailed Server
values, as they can reveal information that might make it (slightly) easier for attackers to exploit known security holes.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
Server: <product>
Directives
<product>
-
The name of the software or product that handled the request. Usually in a format similar to
User-Agent
.
How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers work around a bug those versions had with Content-Encoding
combined with Range
.
Examples
Server: Apache/2.4.1 (Unix)
Specifications
Specification | Title |
---|---|
RFC 7231, section 7.4.2: Server | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Server | Chrome Full support Yes | Edge Full support 12 | Firefox Full support Yes | IE Full support Yes | Opera Full support Yes | Safari Full support Yes | WebView Android Full support Yes | Chrome Android Full support Yes | Firefox Android Full support Yes | Opera Android Full support Yes | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
Legend
- Full support
- Full support