Does hiding the Server header actually improve security?

It removes a free reconnaissance step for attackers. It does not prevent attacks against known CVEs — you still need to patch. But it is a free 30-second fix.

Does Cloudflare hide my origin server version?

Yes — Cloudflare replaces your origin Server header with 'cloudflare' before sending to the browser. Your nginx version is not exposed.

What does server_tokens off actually remove?

In Nginx, it removes the version number from the Server header and from error pages. The header still says 'nginx' but not the version.

Headers

82% of Websites Expose Their Server Version — Fix It in 30 Seconds

Updated April 2026

 Reading this article? Verify your fix in real-time. Check your Server header → HeadersFixer

A February 2026 study scanning 10,000 websites found that 82.9% send a Server header revealing their web server software and version number. This is the easiest security header fix on this site — one line, no testing required.

Why exposing the Server header matters

When an attacker scans your site, the first thing they check is Server: nginx/1.18.0 or Server: Apache/2.4.51 (Ubuntu). Knowing the exact version tells them which CVEs to target. Removing it does not prevent attacks — but it removes a free information source.

# What your site currently sends (check with curl)
curl -I https://yoursite.com | grep -i server
Server: nginx/1.24.0  # ← attackers know which CVEs apply

Nginx — remove in 1 line

# nginx.conf — inside http {} block
server_tokens off;

# Result: Server: nginx (no version)
# Or remove entirely with headers-more module:
# more_clear_headers Server;

Apache — remove version

# httpd.conf or .htaccess
ServerTokens Prod # shows "Apache" only, no version
ServerSignature Off # removes version from error pages

Express / Node.js

# Express sends "X-Powered-By: Express" by default — disable it
app.disable("x-powered-by");

# Or use helmet which does this automatically
const helmet = require("helmet");
app.use(helmet()); # removes X-Powered-By among other things

Vercel (vercel.json)

Vercel sets server: Vercel — you cannot remove it but it reveals no exploitable version info. This is acceptable.

Cloudflare

Cloudflare replaces your origin server header with cloudflare. Your origin version is hidden. No action needed if behind Cloudflare.

FastAPI / Uvicorn

# Uvicorn sends no Server header by default in recent versions
# If you see one, disable in your ASGI config or add a middleware:
@app.middleware("http")
async def remove_server_header(request, call_next): response = await call_next(request) response.headers.pop("server", None) return response

Verify the fix

curl -I https://yoursite.com | grep -i server
# Should return nothing, or just "server: nginx" with no version

Use HeadersFixer to check your live site — it shows the exact Server header value and flags it if version information is exposed.

Check your Server header → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker