The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.

Warning: Avoid overly-detailed Server values, as they can reveal information that may make it (slightly) easier for attackers to exploit known security holes.

Header type Response header
Forbidden header name no


Server: <product>



A name of the software or the product that handled the request. Usually in a format similar to User-Agent.

How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination.


Server: Apache/2.4.1 (Unix)


Unknown specification
# field.server

Browser compatibility

BCD tables only load in the browser

See also