The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.

Avoid overly-detailed Server values, as they can reveal information that might make it (slightly) easier for attackers to exploit known security holes.


Server: <product>



The name of the software or product that handled the request. Usually in a format similar to User-Agent.

How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers work around a bug those versions had with Content-Encoding combined with Range.


Server: Apache/2.4.1 (Unix)


Specification Title
RFC 7231, section 7.4.2: Server Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

Browser compatibilityUpdate compatibility data on GitHub

Chrome Edge Firefox Internet Explorer Opera Safari
Server Yes 12 Yes Yes Yes Yes
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
Server Yes Yes Yes Yes Yes Yes

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.