The Server header can reveal details about the software handling the request. In secure, the builder defaults to an empty string so your application can avoid adding identifying detail when the surrounding stack allows it.
from secure import Secure, Server
secure_headers = Secure(
server=Server().set("")
)Server:Application code can only control this header if the surrounding stack does not re-add its own value. Check your ASGI server, WSGI server, proxy, or CDN settings too.
- Set an empty value or custom string: Use an empty or generic value when you want
secureto control the header. - Avoid exposing server information: Avoid leaving the default server response, which may expose sensitive version information.
- Check upstream defaults: Proxies, ASGI servers, and framework middleware may still add their own
Serverheader unless you disable that behavior.
Use Server to control the Server header value. Its default value is an empty string.
set(value): Set a custom value for theServerheader.clear(): Clear any custom value and revert the header to its default secure value (an empty string).
To set up the Server header and hide the server information:
from secure import Server
server_header = Server().set("")
print(server_header.header_name) # Output: 'Server'
print(server_header.header_value) # Output: ''Then pass it into Secure:
from secure import Secure
secure_headers = Secure(server=server_header)Some frameworks like Uvicorn automatically inject a Server header. If you're using Uvicorn and need to override or remove this header, refer to the framework integration guide for specific instructions on how to disable Uvicorn's default Server header.
This library implements security recommendations from trusted sources:
- MDN Web Docs (licensed under CC-BY-SA 2.5)
- OWASP Secure Headers Project (licensed under CC-BY-SA 4.0)