Caddy — Remove the "Server" Response Header

Caddy is a powerful web server. When serving sites with Caddy you’ll notice that responses contain a Server=Caddy response header. You probably don’t set this response header in your application. Then it must come from Caddy itself.

This tutorial shows you how to remove the automatically added Server response header from sites served with Caddy.

Caddy Series Overview

The Problem: Caddy Always Appends a „Server“ Response Header

We’re using Caddy to serve the superchargejs.com website. When requesting a page from the Supercharge website and looking at the response header we’re noticing a Server=Caddy header.

The application isn’t adding this Server header. That means Caddy is automatically adding this to each response.

For security reasons, we don’t want to expose that kind of information in HTTP responses. That’s why we want to remove it:

../images/caddy-server-response-header-1.png

We used the Insomnia HTTP client (light theme) to send a request and create the screenshot.

Remove the Added "Server" Response Header

We didn’t find a configuration setting in the Caddy docs allowing us to configure whether to automatically add the Server header or not.

That means, we need to find another way to remove that header. Caddy allows you to configure a block configuration. This block configuration allows us to configure handling for response headers.

You can change the handling of response header fields using the header directive. The header directive allows you to remove a given field using a minus/dash - in front of it. You can customize the URI paths on which you want to remove the headers.

Here’s a sample Caddy setup removing the Server field from every response by matching all URI paths:

Caddyfile

(common) {
    header /* {
        -Server
    }
}

superchargejs.com {  
  reverse_proxy localhost:3000

  tls your.email@address.com

  import common
}

This configuration removes the Server response header:

../images/caddy-server-response-header-2.png

Sweet! That’s the response we’re looking for. It’s not exposing any internal information about the used web server.


Mentioned Resources

Explore the Library

Find interesting tutorials and solutions for your problems.