Skip to content

feat: set a custom Server header #1959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dunglas merged 1 commit into from
Nov 10, 2025
Merged

feat: set a custom Server header #1959

dunglas merged 1 commit into from
Nov 10, 2025

Conversation

@dunglas
Copy link
Member

@dunglas dunglas commented Nov 3, 2025

Will allow to track FrankenPHP usage in the wild (currently, it is identified as Caddy).

cc @mholt

mholt
mholt reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

@mholt mholt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Many, many people remove the Server header unfortunately (for bizarre reasons), so I admit it's not a great metric, but it's worth a shot.

@dunglas dunglas mentioned this pull request Nov 3, 2025
Merged
@henderkes
Copy link
Contributor

henderkes commented Nov 4, 2025

Cool idea, but don't most people disable server headers?

@mholt
Copy link
Contributor

mholt commented Nov 4, 2025

I dunno about most. But lots do I think. Disabling it has no benefit, mostly an old wives tale so to speak. But I still think it's worthwhile to set it.

@dunglas
feat: set a custom Server header
dad632c 
# Conflicts:
#	caddy/module.go
#	frankenphp.go
@dunglas dunglas merged commit 724c0b1 into main Nov 10, 2025
24 checks passed
@dunglas dunglas deleted the feat/server-header branch November 10, 2025 16:25
@aleho
Copy link
Contributor

aleho commented Nov 25, 2025
edited
Loading

I dunno about most. But lots do I think. Disabling it has no benefit, mostly an old wives tale so to speak. But I still think it's worthwhile to set it.

I've had to argue against external pen-testing providers contracted by customers because for them finding a Server header in a response is a "critical issue" (absurdly once for a service that is behind a proxy anyway).

I found your reasoning against removing the header some time ago in some discussion. Maybe a wiki entry one can point to like "See what the people behind Caddy officially think about your snake-oil" might help?

@dunglas
Copy link
Member Author

dunglas commented Nov 25, 2025

For the record, adding header -Server in the Caddyfile is what it takes to entirely remove the header if wanted.

@mholt
Copy link
Contributor

mholt commented Nov 25, 2025

@aleho Yikes, that's alarming... sigh.

Anyway, yeah, the header is easy to remove if insistent upon it. It just hurts the feedback cycle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@withinboredom withinboredom withinboredom approved these changes

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@henderkes henderkes henderkes approved these changes

+1 more reviewer

@mholt mholt mholt left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@dunglas @henderkes @mholt @aleho @withinboredom @alexandre-daubois