In the November 2021 survey we received responses from 1,175,392,792 sites across 267,027,794 unique domains and 11,525,855 web-facing computers. This reflects a loss of 4.06 million sites, but a gain of 1.60 million domains and 137,000 computers.
nginx gained the largest number of domains (+741,000) and web-facing computers (+81,300) this month and continues to lead in both metrics with market shares of 30.1% and 37.3%.
Further down in the market, there was also a noticeable increase in the total number of web-facing computers running LiteSpeed, which went up by 11,200 to 101,000 (+12.5%), although this resulted in only a 1.44% increase in domains. These counts include sites that run on LiteSpeed Web Server and its open source variant, OpenLiteSpeed, both of which exhibit the same “LiteSpeed” server banner.
Both nginx and Apache lost nearly 4 million hostnames each, reducing their sites market shares to 34.7% and 24.4%. Meanwhile, Cloudflare gained 1.15 million sites, which has taken its total up to 58.6 million (+2.00%) and increased its sites share to 4.99%.
nginx and Apache also suffered losses amongst the top million websites, paving the way for Microsoft to increase its presence by 2,369 sites (+3.75%). Microsoft web server software is now used by 65,600 of the top million sites, but Apache is still the most commonly used web server in this sector, with 240,000 of the top million sites using it, and nginx is not far behind with 224,000.
Apache 2.4.49 vulnerability
Following last month’s news of a path traversal vulnerability in Apache 2.4.49 being actively exploited in the wild, this month’s survey shows that more than 11 million websites had server banners containing “Apache/2.4.49” before a fix was released. The only other version vulnerable to attack was Apache 2.4.50, which failed to fix the vulnerability properly – but this version was released after the survey ran and was promptly replaced with Apache 2.4.51, where the vulnerability was resolved properly.
The true number of websites that were vulnerable during the survey period is likely to have been much greater than the 11 million websites that openly reported themselves to be running Apache 2.4.49, as nearly two-thirds of all Apache-powered websites do not reveal a version number in their server banners. This configuration is often a deliberate act towards security through obscurity, although attackers can often deduce precise version numbers by carrying out additional tests. There may also have been additional vulnerable instances of Apache 2.4.49 hidden behind frontend load balancers or content delivery networks such as Cloudflare.
Conversely, some websites running on Apache 2.4.49 may not have been vulnerable if they used an appropriately configured web application firewall that prevents path traversal attacks. More generally, the true number of web servers that contain a version-specific vulnerability can also be masked by future backported security patches, which typically fix vulnerabilities without changing the apparent version number of the software. From an external perspective, a server might appear to be running a vulnerable software version but may not actually be vulnerable to the issues affecting that version.
LiteSpeed Web Server 6.0.11 was released on 10 November. This is the latest version in the LSWS 6.0 stream and includes improvements in HTTP/2 and HTTP/3 throughput, new support for WebSocket proxy targets in rewrite rules, and several bugfixes.
Microsoft has announced new Azure Bounty Program rewards of up to $60,000 to encourage and reward research into vulnerabilities that would have the highest potential impact on the security of its customers.
nginx 1.21.4 mainline was released on 2 November. This version includes some new features and changes relating to TLS and HTTP/2.
Lighttpd 1.4.61 was released on 28 October to address a number of bugs. Lighttpd is used by 245,000 unique domains in this month’s survey.
njs 0.7.0 was released on 19 October to add HTTPS support for its Fetch API, along with a few other new features and bugfixes.
Cloudflare Pages now supports custom headers natively, without having to use Cloudflare Workers. This makes it easier for developers to add best-practice security headers and others to their JAMstack applications.