Superfluous header added by Cloudflare

It seems that Cloudflare is adding the header “X-Turbo-Charged-By: Litespeed”.

Setting the header Header add X-Turbo-Charged-By "WebServer" or unsetting it has no effect
Header always unset Server X-Turbo-Charged-By "Litepeed".

What option is there to remove and/or replace the header without using workers?

1 Like

That’s definitely not coming from Cloudflare. I’ve seen threads from people trying to unset that header with no luck. And because it’s not coming from Cloudflare, you can’t remove it without using Workers.

Thanks @sdayman. Is there a way to determine where it’s originating from if it isn’t Clouflare? Sources such as Hacker Target suggest it’s embedded by Cloudflare -

1 Like

Make a request to the origin server directly. It’s almost certainly not a Cloudflare header.

And easy way to hit the origin directly is to use curl’s “–resolve” option.

The origin server is most certainly not generating it. A separate thread had been started with the Litespeed developers -

It’s weird that everyone keeps saying it’s a Cloudflare header. Cloudflare has never added that header. Mind sharing the domain and origin IP?


Are you using WordPress with a caching plugin? It could be coming from WordPress plugins

There are no Wordpress caching plugins.

What’s the domain?

1 Like

It’s [redacted]

Run this command, but put in the correct IP address of your origin webserver instead of
curl -Ik --resolve

That should show you the headers coming from your server.

You must be thinking of LiteSpeed Cache.

Thanks. The headers do not include X-Turbo-Charged-By.

HTTP/2 200
content-type: text/html
last-modified: Thu, 02 Apr 2020 00:00:08 GMT
accept-ranges: bytes
content-length: 6389
date: Sun, 18 Oct 2020 02:08:57 GMT
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: same-origin
x-permitted-cross-domain-policies: none
content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; child-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; font-src 'self' data:; media-src 'none'; img-src 'self' data:; object-src 'none'; style-src 'self' 'unsafe-hashes' 'unsafe-inline'; script-src 'self' 'unsafe-inline' ;
feature-policy: geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'
edit: Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
x-dns-prefetch-control: on
vary: Accept-Encoding


You should have a look at this thread from the official LiteSpeed forum:

If you believe you are NOT using LiteSpeed Cache and it is NOT installed as a WordPress Plugin, then you are most probably running a Shared Server that is running some LiteSpeed version in the background which is adding the X-Turbo-Charged-By: LiteSpeed header because you are also using a CDN (Cloudflare in this case). The aforementioned forum thread has more info about the issue.

Now, I’m really wondering why you want to remove that header? If it has no performance impact on your server, I wouldn’t put too much effort in removing it.

Thanks @janvitos. Litespeed cache nor its WordPress plugin is installed. Assuming it’s being added by the server, I would the headers to return the details from the origin which it didn’t.

The driver isn’t as much performance as to understand where the header is coming from so that if there is a need/desire to remove it, there is an option to do so easily.

Then it’s a good mystery. There’s not even a server: header in there. So I suspect you’ve already removed that.

Now the question is: How and Why does that header get inserted when going through Cloudflare? What interaction would trigger that?

Read that forum thread I posted and you will get some answers. They even provided different recommendations to remove or change the header.

It seems the header is only being added by the LiteSpeed backend when it detects it is passing through a CDN. But as one Well-Known Member stated on the thread, it isn’t coming from LiteSpeed Enterprise either, so it probably comes from another version installed on your Shared Server.

1 Like

That’s correct. Most of the remaining headers have been suppressed. Yes, it’s a mystery that seems to have no real insight. Is anyone else on the thread experiencing or potentially seen it occur with Cloudflare and the servers it is communicating with?

Stepping it through logically though, if the header is being introduced by another service, the curl responses should return these but they don’t. That’s the confusion.

Except that your curl request looks different from a Cloudflare request.