Hide Server Signature

How can I hide the server signature in HTTP response headers? This is important to me for security reasons.
Thanks.

1 Like

Hi, @askthings, it isn’t possible to hide that at Netlify. We always include the header below:

server: Netlify

This doesn’t reveal the specific technologies we use but it does identify that we are hosting the site. If you want us to enter a feature request to be able to change or suppress this header, please let us know and we will be happy to do so.

I would like to enter that feature request, thank you!

1 Like

We’d need to know a little more about your use case to file a good feature request. Can you explain more about what obscuring the server response can buy you in security terms, when people can tell that you use our service through other means in several trivial ways?

I do appreciate that better security serves us all well, but I am certain this feature request will be closed WONTFIX unless we give much more context about why it is needed than “an auditor has a checklist item about not sharing that” :slight_smile:

Well, an auditor used their checklist to compile a security evaluation report of a form we want to host on Netlify and this item made it into the report. The specified reason: it reveals the platform used to host the form. Our client has specified that reported items need to be addressed, so this is me addressing this item to the extend that we currently can.

To be honest you’re right that this line does not reveal any details about your platform. However, it does make it a lot easier for hackers who’ve somehow managed to pass your security to very efficiently find other websites to attack.

1 Like

Thanks for elaborating, @woutervandam! We do have an open feature request for this internally and I’ve added this thread to the conversation there so we can follow up here if the feature gets implemented.

2 Likes

It’s not just for security concerns but more about branding I think, like paid users on Wix and Weebly get to have the logo removed from their websites. Netlify could offer this feature as part of its paid plan. It would certainly make the Pro plan more attractive to me.

In the case of Wix (haven’t tested Weebly) it is still evident (even for an enterprise customer) that the site is hosted on Wix from other headers. An example is the link header which looks like

link: <https://static.parastorage.com/>; rel=preconnect; crossorigin;,
      <https://static.parastorage.com/>; rel=preconnect;,
      <https://fonts.gstatic.com>; rel=preconnect; crossorigin;,
      <https://static.wixstatic.com/>; rel=preconnect; crossorigin;,
      <https://static.wixstatic.com/>; rel=preconnect;,
      <https://siteassets.parastorage.com>; rel=preconnect; crossorigin;,

This shows two references to wixstatic.com.
(Formatting for readability.)

Also, there is the x-wix-request-id which also gives away the platform. Add to this the server header server: Pepyaka/1.19.10 which is known as the platform Wix uses (see: here, here, and here.)

If Netlify was to hide the server: Netlify, the x-nf-request-id would still exist. This would indicate the platform.