What is an HTTP banner?

What it is#

An HTTP banner is the identifying information a web server returns in its HTTP response headers. When a client sends a request, the server's response includes headers that may disclose the server software, its version, and other configuration details. This information is sometimes called the server's "banner" by analogy with the banners that FTP and SMTP servers display on connection. HTTP banners are a foundational data source in threat intelligence and infrastructure investigation.

Relevant headers#

Several HTTP response headers contribute to the banner.

Server is the most direct identifier. Common values include nginx/1.24.0, Apache/2.4.58, Microsoft-IIS/10.0, or cloudflare. This header reveals the web server software and often its version.

X-Powered-By indicates the application framework or runtime behind the server, such as PHP/8.2.0, Express, or ASP.NET. While the Server header identifies the web server, X-Powered-By identifies the application layer.

Via appears when the response passes through a proxy or CDN. A value like 1.1 varnish or 1.1 google reveals intermediate infrastructure.

Other headers like X-AspNet-Version, X-Generator, or X-Drupal-Cache can leak CMS and platform information. Even custom headers (e.g., X-App-Version: 2.3.1) reveal details about the application stack.

What banners reveal#

HTTP banners tell an investigator what software and infrastructure a domain runs on. This supports several lines of analysis:

• Technology identification. Knowing a site runs nginx on a specific OS version helps identify potential vulnerabilities.
• Infrastructure attribution. A distinctive banner combination (e.g., LiteSpeed + cPanel) narrows the hosting environment.
• Campaign correlation. Multiple phishing sites sharing identical, unusual banner configurations may belong to the same operator. HTTP banner analysis formalizes this correlation across large domain sets.

Banner grabbing#

Banner grabbing is the practice of sending an HTTP request to a server specifically to capture its response headers. A simple HEAD request is often sufficient. Internet-wide scanning projects perform banner grabbing at scale, building searchable databases of server banners across the entire IPv4 address space.

Limitations#

HTTP banners are informational, not authoritative. Server administrators can, and frequently do, modify or suppress banner headers. Nginx can be configured to remove the Server header entirely. Apache's ServerTokens directive controls how much version information is exposed. Attackers may spoof banners to mislead investigators.

CDN and reverse proxy services also overwrite origin server banners. A site behind Cloudflare will show cloudflare as the Server header regardless of the actual origin server software. Pairing banner data with TLS certificate analysis and other signals from malicious domain detection workflows helps compensate for these gaps.

Because of these limitations, banners are most useful as one signal among many rather than a definitive indicator.