RSS

A survey of HTTP 'server' headers

TwinOaks651 pts0 comments

Alex Keeling

Alex Keeling

Notes on a global survey of HTTP server headers

May 2026<br>What are the most popular web servers? And does anyone put jokes in their HTTP response headers?

I recently read Jan Schaumann's post about IPv6 adoption and the work he did to check how many of the top million domains have IPv6 enabled (and lots of other great details). It got me thinking about doing something similar but checking what the most popular HTTP servers are. So I found a list of the (apparently) top ten million domains, and got to work on a Python script to see what I could see.

After a few false starts and briefly overwhelming my local DNS server with too many requests, I truned down the request frequency and started to get some data flowing in. I stopped after 170,000 domains. There's enough here to find some interesting results.

Method

I first tried requesting the website root eg. example.com/. If the site didn't reply to my survey bot, I try asking for the robots.txt file: example.com/robots.txt. Since this is specifically made for bots, I found that some sites which won't serve me the site root, would still serve that file.

Server isn't a required header in HTTP, but most servers provide it. Like this:<br>Server: nginx

The server header is mixed in with lots of other headers. A typical response looks something like this:

$ curl -sI https://alex.keeling.me<br>HTTP/2 200<br>date: Tue, 26 May 2026 18:07:04 GMT<br>content-type: text/html<br>accept-ranges: bytes<br>last-modified: Fri, 27 Mar 2026 02:14:24 GMT<br>server: cloudflare<br>cf-cache-status: DYNAMIC<br>cf-ray: a01eb7a39f4b88f1-BOS

Most popular servers

About 90% of the domains I tried to connect to replied. Of those, a little less than 90% returned a server header. In the end, 131,265 servers included the Server header

The top 5:

34%cloudflare

16%nginx

13%Apache

3%LiteSpeed

2%Microsoft-IIS/10.0

Combined, the top five account for 68% of servers. But there's a long tail. Each of the top five has thousands or tens of thousands of hits, but the number of servers with a unique server header? 1676. That's 60% of the total number of distinct server header values. (2814)

Many of these are quite similar to each other. For example, Apache/2.4.66 (FreeBSD) OpenSSL/3.0.16 PHP/8.3.29 and Apache/2.4.66 (FreeBSD) OpenSSL/3.0.16 PHP/8.2.30. Same Apache version, same OS, same OpenSSL version. Just a minor PHP version difference.

About Cloudflare

Cloudflare's numbers are undeniably impressive. More than a third of the sites I queried are hosted with Cloudflare!

Except, that's not quite right. Although some sites actually are hosted directly with Cloudflare (including this one! This blog is hosted from a Cloudflare R2 bucket. Check out my http headers), many more sites are hosted elsewhere, and use Cloudflare as a CDN in front of their server.

So your request does go through Cloudflare, and Cloudflare does update the headers when they pass along the response, but the actual, authoritative html file is often physically hosted elsewhere with some other web server.

For example, this blog was previously hosted with AWS S3, but had cloudflare in front for a while before I completely moved over. (Between my minimal traffic and their generous free tier, Cloudflare is even cheaper for me than AWS was. And AWS was already cheap)

Of course, once a CDN like Cloudflare overwrites a site's server header, you can't easily find the original value.

Fun servers

Most servers advertise themselves as what they are (or as something else boring for security obfuscation) but some servers send back amusing headers. Here are the best ones I've found so far:

portswigger.net Server: '; DELETE carlos FROM users --<br>There's nothing like including some SQL injection in your HTTP headers for anyone scraping to deal with :)

fastly.com Server: Artisanal bits<br>This is fun. Since I'm sure fastly has their own HTTP servers they've written for their CDN, I'm sure it's accurate.

evropa2.cz Server: Guido<br>As a Python developer, this is one of my favourites. I'm guessing they're running some Python framework and put an homage to the creator of the language in their server's headers.

shredderchess.com Server: HTTP Server<br>I like this. It's correct and generic, yet unique without giving away their actual server.

cbs.nl server: ""<br>Lots of servers pass an empty string (aka, no value. eg. server:) for their server header, but cbs.nl passes two literal double quotes. They probably meant for it to be an empty string? So close.

ikea.co.id server: 0879f696<br>I went to this Ikea site for Indonesia and from looking through my browser's network tab, almost every request got back a different number: 30ad7d76, 75eaac43, f4d5e918. I'm guessing they have a unique value for each instance of their web server running in different containers or something.

collabora.com server: Hidden

uppolice.gov.in server: My httpd server

palemoon.org server: NGinX<br>Despite nginx being the most popular web server (not counting various...

server cloudflare servers http headers header

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.