How to remove Server Cloudflare header

How do I remove the cloudflare server:cloudflare header which cloudflare adds in by default. I have tried the following web worker but it gives the error “can’t modify immutable headers”

addEventListener(‘fetch’, event => {
event.respondWith(handleRequest(event.request))
})

/**

  • Fetch and log a request
  • @param {Request} request
    */
    async function handleRequest(request) {
    console.log(‘Got request’, request)
    const response = await fetch(request)
    console.log(‘Got response headers’, response.headers)
    var headers = response.headers
    headers = headers.delete(‘server’)
    response.headers = headers
    return response
    }

You cant remove it. Cloudflare automatically appends it.

What a shame, why do they think information disclosure is acceptable? Why do I have to hide the OS and framework I use but not the WAF? If an attacker is aware of vulnerabilities in their platform they will try those first, they will also not bother to waste time attacking with known vulnerabilities of Akamai as they now know I am not using that platform.

I wouldnt really call it that. Also, it will be quite obvious that you are using Cloudflare anyhow, based on the IP addresses.

2 Likes

Good point re IP addresses. Thanks