The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.

Avoid overly-detailed Server values, as they can reveal information that might make it (slightly) easier for attackers to exploit known security holes.

Header type Response header
Forbidden header name no


Server: <product>



The name of the software or product that handled the request. Usually in a format similar to User-Agent.

How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers work around a bug those versions had with Content-Encoding combined with Range.


Server: Apache/2.4.1 (Unix)


Specification Title
RFC 7231, section 7.4.2: Server Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

Browser compatibility

ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
ServerChrome Full support YesEdge Full support 12Firefox Full support YesIE Full support YesOpera Full support YesSafari Full support YesWebView Android Full support YesChrome Android Full support YesFirefox Android Full support YesOpera Android Full support YesSafari iOS Full support YesSamsung Internet Android Full support Yes


Full support
Full support

See also