The Server header provides information about the server software handling the request. By default, this header exposes the server's technology stack, which can increase the risk of targeted attacks. For enhanced security, it is recommended to obscure or remove this header to prevent unnecessary exposure of server details.
- Set an empty value or custom string: It's generally advisable to set the
Serverheader to an empty value ("") or use a non-informative value to avoid revealing specific details about the server software. - Avoid exposing server information: Avoid leaving the default server response, which may expose sensitive version information.
The Server class in secure.py allows you to easily control the Server header value, with the default value set to an empty string to enhance security.
secure_headers = Secure(
server=Server().set("")
)set(value): Set a custom value for theServerheader.clear(): Clear any custom value and revert the header to its default secure value (an empty string).
To set up the Server header and hide the server information:
server_header = Server().set("")
print(server_header.header_name) # Output: 'Server'
print(server_header.header_value) # Output: ''This can then be applied as part of your Secure headers configuration:
secure_headers = Secure(server=server_header)Some frameworks like Uvicorn automatically inject a Server header. If you're using Uvicorn and need to override or remove this header, refer to the framework integration guide for specific instructions on how to disable Uvicorn's default Server header.
This library implements security recommendations from trusted sources:
- MDN Web Docs (licensed under CC-BY-SA 2.5)
- OWASP Secure Headers Project (licensed under CC-BY-SA 4.0)