Hide Server Signature

How can I hide the server signature in HTTP response headers? This is important to me for security reasons.

Hi, @askthings, it isn’t possible to hide that at Netlify. We always include the header below:

server: Netlify

This doesn’t reveal the specific technologies we use but it does identify that we are hosting the site. If you want us to enter a feature request to be able to change or suppress this header, please let us know and we will be happy to do so.

I would like to enter that feature request, thank you!

We’d need to know a little more about your use case to file a good feature request. Can you explain more about what obscuring the server response can buy you in security terms, when people can tell that you use our service through other means in several trivial ways?

I do appreciate that better security serves us all well, but I am certain this feature request will be closed WONTFIX unless we give much more context about why it is needed than “an auditor has a checklist item about not sharing that” :slight_smile:

Well, an auditor used their checklist to compile a security evaluation report of a form we want to host on Netlify and this item made it into the report. The specified reason: it reveals the platform used to host the form. Our client has specified that reported items need to be addressed, so this is me addressing this item to the extend that we currently can.

To be honest you’re right that this line does not reveal any details about your platform. However, it does make it a lot easier for hackers who’ve somehow managed to pass your security to very efficiently find other websites to attack.

Thanks for elaborating, @woutervandam! We do have an open feature request for this internally and I’ve added this thread to the conversation there so we can follow up here if the feature gets implemented.

1 Like