The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.
Warning: Avoid overly-detailed Server values, as they can reveal information that may make it (slightly) easier for attackers to exploit known security holes.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Server: <product>
A name of the software or the product that handled the request. Usually in a format similar to User-Agent.
How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination.
Server: Apache/2.4.1 (Unix)
| Specification |
|---|
| HTTP Semantics # field.server |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
Server |
Yes |
12 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
© 2005–2022 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server