I try to hide the HTTP server I am using for security reasons and use header -server directive for this purpose. It’s fine with this configuration but not when using websocket: it is still in the response to the upgrade request with app.domain.tld. Is there a way to remove it?
You don’t gain anything security-wise from removing that header. Knowing which server software is serving the request doesn’t really change how an attacker might attempt exploits.
If it actually mattered in terms of security, we wouldn’t have the header set by default.
It has practical benefit for debugging, helping to know whether you actually hit the server you expected (e.g. instead of your legacy apache server maybe).
I think what’s going on is when you use the - header operation, it implicitly turns on defer, so header operations are delayed until when the response is being written out (i.e. after proxying).
But since websockets is implemented by hijacking the connection, anything that’s deferred will never happen, since it’s being turned into a TCP pipe by the reverse_proxy module.
I don’t think there’s currently a way via Caddyfile to make - operations not be deferred (because it rarely makes sense to remove a header before any has been written by some terminal HTTP handler), but Server would be the only case where that would make sense because Caddy sets that header first-thing in the request handling pipeline.
You could adapt your config to JSON and remove the "defer": true if you really care (but I don’t think you should care).