: Does the 'Server' header serve any purpose? For example, when I dump the response header for my server I get: Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.11

@Twilah146

With a Server header that long, shortening it or getting rid of it entirely could also provide a tiny performance benefit.

As Jesper notes, it's not a big issue, but if you're trying to squeeze out every extra millisecond from your page load times, it could make a difference — particularly if you're loading lots of small files, which is bad from a performance viewpoint in itself, but sometimes unavoidable.

I suspect that's one reason why, for example, Google's webservers just say:

Server: gws


or

Server: sffe


Sure, they could've spelled out "gws" as "Google Web Server" without disclosing any more information, but that would add 14 completely useless bytes to every HTTP response. With Google's request volume, those few bytes might well add up to more bandwidth than your average small website uses in total.

Vote Up Vote Down

@Nimeshi995

No, it is not used for anything important. (Netcraft's server market share surveys probably use it, as presumably do other 3rd party surveys.)

Yes, it is a (very) small security issue. Of course your server should be secured and up to date at all times, but having an extra layer of 'obscurity' on top of a well secured server is only beneficial. If nothing else, if an attacker needs to undertake extensive 'fingerprinting' before attacking, then you might get some early warning of an attack if you monitor your logfiles closely.

You can safely turn down the level of detail being broadcasted if you want to. On the other hand, it isn't a big deal, and if you're on a shared server where you cannot change this, then don't sweat it.

Vote Up Vote Down