Remove Caddy signature from websockets responses

luisimasd · May 16, 2026, 7:00pm

1. The problem I’m having:

Web socket responses are revealing the Caddy tool.
Caddy signature is removed correctly from http(s) traffic but now WSS responses
Not sure if I am missing anything on the setup.

2. Error messages and/or full log output:

I have this request on the web developer tools:

GET /rest/push?pushRef=sg06izoz33 HTTP/1.1
Host: server:123
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: /
Accept-Language: en,en-US;q=0.8,es-ES;q=0.5,es;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Sec-WebSocket-Version: 13
Origin: https://server:123
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: d5lxxxxxxxxxLgw==
DNT: 1
Sec-GPC: 1
Connection: keep-alive, Upgrade
Cookie: xxxxxxxx
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

The response I see is... 

Alt-Svc
	h3=":36432"; ma=2592000
Connection
	Upgrade
Sec-Websocket-Accept
	mFjUUgIgqJ334324233323=
Server
	Caddy   << --- this is what I want to hide/remove
Upgrade
	websocket

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

via apt

a. System environment:

Ubuntu 24.04 LTS

b. Command:

N/A

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

I can’t fully share it but I remove the Caddy signature on http(s) petitions with:
server:123 {
header -Server
}

That is working flawlessly

5. Links to relevant resources:

N/A

francislavoie · May 17, 2026, 5:31am

You’re using an incredibly old and unsupported version. Use our official installation instructions, not the debian/ubuntu distro package.

luisimasd · May 17, 2026, 9:03pm

Thanks @francislavoie for the feedback. honeslly I was not planning to upgrade it as it is rock solid.

2 questions moving forward, in the current version has the question I mentioned a solution? if not, upgrading it would help?

This is a very sensitive environment, upgrade, despite if it is easy and fast, is not trivial here. So I want to reduce the uncertainty, if possible.

Any feedback is appreciated.

Thanks again. Luis

timelordx · May 18, 2026, 6:34am

There’s more than one place where to remove headers. Without seeing more of your config, it’s hard to help. Also, I do not run 2.6 anywhere, so I can’t fully test it. Please upgrade.