HTTP banner analysis
HTTP banner analysis uses response headers to fingerprint, track, and cluster infrastructure. This guide covers change detection, TLS fingerprinting, infrastructure correlation, and the limitations introduced by shared hosting and CDNs.
3 min read
What it is#
An HTTP banner is the set of response headers a web server returns, such as Server, X-Powered-By, and Via. HTTP banner analysis collects and compares those headers across domains to fingerprint server configurations, detect infrastructure changes, and cluster related domains within a threat intelligence workflow.
Change detection#
Monitoring a domain's HTTP banners over time surfaces significant infrastructure changes. If a domain previously returned Server: Apache/2.4.58 and suddenly shows Server: nginx/1.24.0, the underlying hosting likely changed. This is relevant for:
- Compromised domains where an attacker has taken over hosting and deployed new infrastructure.
- Campaign tracking where an attacker migrates phishing pages to a new server.
- Takedown verification where a banner change may corroborate that a hosting provider acted on an abuse report (though banner changes can also reflect migrations or attacker infrastructure moves).
Tracking banner changes alongside DNS resolution changes (new IP, new ASN) and certificate changes provides a multi-signal view of infrastructure movement.
Infrastructure correlation#
Banner analysis is most useful when applied across many domains. If 50 suspicious lookalike domains all return the same combination of Server: LiteSpeed, X-Powered-By: PHP/8.1.2, and an unusual X-Turbo-Charged-By: LiteSpeed header, that shared fingerprint suggests a common hosting setup, and possibly a single operator deploying phishing pages from a template.
Correlating banner fingerprints with ASN data and IP ranges strengthens clustering. Domains sharing both a banner pattern and an ASN are more likely to be related than domains sharing only one of the two.
TLS fingerprinting#
Beyond HTTP headers, the TLS handshake itself produces fingerprints. JA3 and its successor JA4 hash the parameters of a TLS ClientHello or ServerHello (cipher suites, extensions, supported versions) into a compact identifier. While JA3/JA4 are primarily used to fingerprint clients, server-side TLS fingerprints can differentiate server software and configurations even when HTTP banners are stripped or spoofed.
TLS fingerprinting is especially useful for infrastructure behind CDNs, where the HTTP Server header reflects the CDN rather than the origin. The TLS configuration of the origin (visible when connecting directly to the IP) may reveal the actual server software.
False positives from shared hosting and CDNs#
Banner-based clustering has the same attribution challenge as ASN reputation when many unrelated assets share infrastructure. Hundreds of unrelated sites on a cPanel shared hosting server will share identical banners. CDN customers behind Cloudflare all present Server: cloudflare. These shared environments produce false correlations that must be filtered using additional signals, registration data, content analysis, or behavioral patterns.
Practical workflow#
A typical banner analysis workflow collects headers from a set of domains (via direct crawling or internet-wide scan data from Censys or Shodan), normalizes the header set into a fingerprint, clusters domains by fingerprint similarity, and then enriches clusters with DNS, WHOIS, and content data to assess whether the cluster represents a single operation. Domains flagged through this process can be escalated for phishing domain detection triage.
More from Threat intelligence
View allDomain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.