Footprints: Server Headers

Last updated on 2020/08/19

|

by Nejc Zupan

Lately, there has been quite some debate in public and private channels and groups on the Server header and how it might pose a threat to PBNs due to footprints. This post aims to provide extensive information on what the Server header even is, what forms it takes in the majority of cases and what to be cautious about. Due to the technical nature of this discussion, this post might get a bit technical at times as well, but bear with me until the end for a 30.000-feet overview and advice for your own PBN.

TL:DR; The majority of your PBN blogs should return “Apache” as the Server header, while the minority should return “nginx”, “Apache/<VERSION> (<OS>)”, “nginx/<VERSION>” or “LiteSpeed”.

What are “headers”

To put it in very simple terms, the Internet works like this: Your browser requests a website by sending a “Request” to the server, and the server responds by sending back a “Response”. The Request tells the server what you want (for example: “I want http://google.com/images“) and the Response holds the HTML of the website you requested. But along the HTML, the Response also contains “Headers”. Headers are metadata about the Response. For example, if the server is sending back an image, it will use headers to tell your browser “Hey, this is a JPEG image, you should render it as such”. Besides the type of content there is other information in the response: how to cache the content, cookies, and some information about the server. I shall say that again: some information about the server. Hint?

For the sake of clarity, let’s take a popular website and see what kind of server information its server sends back in response headers. To do this, we open up Firefox, go to searchengineland.com, right-click somewhere in a blank space and click “Inspect Element”. Then open up the “Network” tab and reload the page. Now you will see all traffic flowing to your browser from searchengineland.com. Good!

Inside the Network tab, scroll all the way up to the first item that was transferred to you. That’s the HTML of the searchengineland.com website. In the right half of the Inspect pane you see the Headers tab. There they are, the elusive headers! Here you can see that the Server header for searchengineland.com is “Apache”.

SearchEngineLand Screenshot

Implications for PBNs

Now, imagine that you have a PBN of 100 blogs. And they are all hosted on the island of Neverland, where all hosting providers, instead of Apache, use a funky new webserver called “Neverserve”. This would mean that all your blogs return the Server header “Neverserve”. Footprint much?

In order to be footprint-free your PBN should return Server headers that mimic as closely as possible the Server headers of the rest of the Internet. But what is the average Server header out there? We set out on a quest to find out!

The Hunt For The Most Common Server Headers

First, we needed some data. Instead of using a home-baked crawler, letting it loose and hope for the best, we opted to do it properly: we purchased credits at a service called Shodan.io. Shodan periodically monitors the *entire* Internet, as in, they ping all IPs in existence, and save whatever each server responds to their database. As a paid Shodan member, you can query their database in various ways to extract only the servers you are interested in. With the use of header analysis, we extracted 100.000 servers that run WordPress out of their database of all servers on the Internet.

What follows is a statistical analysis of the above mentioned 100.000 servers running WordPress worldwide.

By far the most common Server header is “Apache”. Over 40% of servers return exactly this string as a Server header.

Pie Chart Apache

So 4 out of 10 servers return “Apache” as the Server header. That’s a lot!

But what are the other most common Server headers, besides “Apache”?

Bar Chart Apache

Looking at the bar chart above it’s easy to see that the top 5 Server headers are:

  • (~40%) Apache
  • (~7%) nginx
  • (~7%) Apache + Version/OS
  • (~7%) nginx + version

Where is “LiteSpeed”, the Server header returned by the Lighty webserver that some providers use?

Pie Chart LiteSpeed

Only about 1.6% of all servers return “LiteSpeed” as Server header.

The Conclusion

The most common Server header for WordPress servers out there is simply “Apache”. About 4 in 10 of your blogs should return “Apache” as a header. The rest should return any variation of the following Server headers: “nginx”, “Apache/<VERSION> (<OS>)”, “nginx/<VERSION>” or “LiteSpeed”. To go the extra mile maybe add some Microsoft IIS and other more marginal Server headers.

Do note though that these numbers change all the time and are by no means set in stone. Also, these are averages, and averages always cut out a lot of edge cases. It’s perfectly fine to have up to 7 in 10 of your blogs return “Apache” for Server header because it’s so common. But we would recommend against having the majority of your servers return “Apache/2.4.7 (Ubuntu)” or having *all* servers return “nginx”. Mix it up, people!

Now go out there and use the Firefox steps described above to test your own PBN! Are you on the safe side?

But for all of you who host your blogs on Easy Blog Networks, you can easily relax and go for a beer, coffee or some juice. Our servers are configured to return Server headers like the top 100 most common Server headers out there (including different server versions, operating systems, other webservers besides Apache, Nginx and Lighty, etc.).

The Server header is not the only header that gives out important information. Keep an eye out on the follow-up post scheduled to be published in the coming weeks.