Why use this header at all?

This header informs the client (browser) what web server software and potentially the operating system you're running.. This is usually used by the software companies to measure market share, so they have an incentive to maintain this header by forcing header output (Apache / httpd).


Consider the Impact of Compliance section below to see if this recommendation works for you.

Disable this header or minimize its output.

Risk Mitigated

By following this recommendation, what risk is mitigated?

Disabling this header reduces the accuracy of fingerprinting your web server's software, and adds a layer of complexity to an attacker. This increases the chances that you will notice the attacks happening and the ability to react. Disabling also makes deteriming what CVEs apply considerably more difficult.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

There should be no impact to your site, servers, or third party consumers if you disable the header.

Next Steps

What you can do to get there

Your web server configuration should contain options for disabling this header or minimizing its value to attackers.


What this header may look like when implemented securely

Server: Apache/2.2.3 (CentOS)

This header should be ABSENT

Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!