Server Header Checker

Find out what software is serving a URL. Enter an address and this tool reads the live Server and X-Powered-By headers, picks up CDN and proxy hints, and flags any version numbers the server is disclosing. It both answers "what is this site running on?" and shows whether the server is leaking version details an attacker could use to target known vulnerabilities.

How to use the Server Header Checker

Enter a URL and press Check server header. The tool fetches the page and reports:

• The Server header — the web server software, such as nginx, Apache, cloudflare or LiteSpeed.
• X-Powered-By and similar headers that reveal the application stack (PHP, ASP.NET, Express).
• CDN and proxy hints from headers like cf-ray, via and x-served-by.
• An information-disclosure note when a header exposes a precise version number.

Be aware that these headers are voluntary. Many well-configured servers strip or genericise them on purpose, so an empty or vague Server header is a sign of good hygiene rather than a failure of the tool.

What the Server header tells you

The Server header is a short string the web server adds to every response identifying the software that produced it. In its fullest form it can read something like Apache/2.4.41 (Ubuntu) — naming the product, the exact version, and even the operating system. Related headers like X-Powered-By (PHP/8.1.2) and X-AspNet-Version add the application-layer stack.

This information is useful for legitimate reasons — knowing whether a site runs nginx or Apache, or sits behind Cloudflare, helps with debugging, compatibility and competitive research. But the same detail is a gift to attackers:

• Version fingerprinting — a precise version like nginx/1.18.0 lets an attacker look up exactly which published vulnerabilities (CVEs) apply, turning a broad scan into a targeted one.
• Stack mapping — X-Powered-By: PHP/7.2 reveals not just the language but that it is an end-of-life version no longer receiving security fixes.
• Reduced effort for the attacker — every detail you volunteer is reconnaissance they do not have to perform themselves.

The widely recommended practice is to minimise disclosure: remove X-Powered-By entirely, and either drop the Server header or reduce it to the product name without a version (Server: nginx). This does not make the server more secure on its own — security comes from patching — but it denies attackers an easy map and is trivial to configure. This tool shows what a given site currently reveals.

Common use cases

• Identifying a stack — quickly see what web server and application framework a site runs.
• Security hygiene checks — spot servers leaking precise version numbers that should be hidden.
• Detecting a CDN — recognise Cloudflare, Fastly, Vercel and similar from their tell-tale headers.
• Spotting end-of-life software — catch disclosed versions of PHP, ASP.NET or a server that are no longer supported.
• Competitive and vendor research — understand the infrastructure a given organisation uses.

How to reduce server fingerprinting

If this tool shows your own site disclosing versions, tightening it is quick:

• nginx — set server_tokens off; to drop the version from the Server header (the product name remains).
• Apache — set ServerTokens Prod and ServerSignature Off to reduce the header to Apache with no version or OS.
• PHP — set expose_php = Off in php.ini to remove the X-Powered-By: PHP/… header entirely.
• Application frameworks — remove framework banners (for example disable the X-Powered-By header in Express or ASP.NET) at the app or proxy layer.
• Behind a CDN — a reverse proxy or CDN can rewrite or strip these headers centrally, regardless of the origin software.

Remember this is obscurity, not security: it raises the effort for opportunistic attackers but is no substitute for keeping software patched.