Caddy is a powerful web server. When serving sites with Caddy you’ll notice that responses contain a Server=Caddy
response header. You probably don’t set this response header in your application. Then it must come from Caddy itself.
This tutorial shows you how to remove the automatically added Server
response header from sites served with Caddy.
Caddy Series Overview
- Reverse Proxy a Node.js App
- Configure SSL for HTTPS
- Configure Logging and Access Logs
- Remove the "Server" Response Header
- Redirect (Sub)Domains
The Problem: Caddy Always Appends a „Server“ Response Header
We’re using Caddy to serve the superchargejs.com website. When requesting a page from the Supercharge website and looking at the response header we’re noticing a Server=Caddy
header.
The application isn’t adding this Server
header. That means Caddy is automatically adding this to each response.
For security reasons, we don’t want to expose that kind of information in HTTP responses. That’s why we want to remove it:
We used the Insomnia HTTP client (light theme) to send a request and create the screenshot.
Remove the Added "Server" Response Header
We didn’t find a configuration setting in the Caddy docs allowing us to configure whether to automatically add the Server
header or not.
That means, we need to find another way to remove that header. Caddy allows you to configure a block configuration. This block configuration allows us to configure handling for response headers.
You can change the handling of response header fields using the header
directive. The header
directive allows you to remove a given field using a minus/dash -
in front of it. You can customize the URI paths on which you want to remove the headers.
Here’s a sample Caddy setup removing the Server
field from every response by matching all URI paths:
Caddyfile
(common) {
header /* {
-Server
}
}
superchargejs.com {
reverse_proxy localhost:3000
tls your.email@address.com
import common
}
This configuration removes the Server
response header:
Sweet! That’s the response we’re looking for. It’s not exposing any internal information about the used web server.