Server
Response header General

Overview

Server reports the software the origin server used to produce the response. Think of it as the server-side identity string that mirrors the request's User-Agent.

The format is a list of product tokens with optional versions and comments (e.g. `nginx/1.25.3`, `Apache/2.4.57 (Ubuntu)`). Passing through several middlewares can append multiple tokens.

Details

The value is informational, meant for humans, and by principle should not drive programmatic behavior. For operations it is a handy debugging clue about which web server and version answered.

From a security standpoint, exposing a detailed version is information disclosure. A value like `Server: Apache/2.4.49` helps an attacker target a known CVE immediately. So in practice you should hide the version to leave just the product name (`Server: nginx`, via nginx `server_tokens off;` or Apache `ServerTokens Prod`), or strip/obscure the header entirely.

Behind a reverse proxy or CDN, the Server value is often replaced by the proxy's (e.g. cloudflare) rather than the origin's. Intermediaries on the path identify themselves with the Via header, whereas Server names the software that ultimately produced the response — a different role.

Syntax

Server: <product>[/<version>] [<comment>] ...

e.g. Server: nginx

Notes

Related headers

User-AgentViaX-Powered-ByDate

Specification