In the February 2023 survey we received responses from 1,127,630,293 sites across 270,727,775 unique domains, and 12,142,793 web-facing computers. This reflects a loss of 4,638,508 sites, 240,148 domains and 13,907 computers.

OpenResty had the largest percentage growth in sites this month: it is now used by 95,176,082 sites, an increase of 2,884,258 (+3.13%) since last month. This brings its share of sites to 8.44%, up from 8.15% (+0.29pp). OpenResty’s market share by domain count remained stable, with a slight 0.01pp increase this month - its small loss of 14,039 domains was counteracted by the greater loss of domains across all vendors this month.

Cloudflare continues to grow, gaining 1,669,867 sites (+1.49%) and 500,432 domains (+1.89%) since our January survey. Following Cloudflare becoming the most commonly used web server vendor within the top million sites last month, it has started to cement its position: gaining 672 sites (+0.31%) of the top million sites this month, giving it a 21.71% market share (+0.07pp).

Meanwhile, Apache lost 626 sites (-0.29%) in the top million sites, bringing its share to 21.34% (-0.06pp). Outside of the top million, Apache saw more significant losses, netting a decrease of 2,593,754 sites (-1.11%) and 434,071 domains (-0.74%).

Similarly to Apache, nginx lost a significant number of domains this month, being down by 483,620 domains since our January survey (-0.66%). However, nginx maintained its overall site count and even gained 219 of the top million busiest sites, giving it a 21.23% share (+0.02pp) within the top million sites.

The largest loss in sites for a major vendor this month comes from Microsoft, which is down 2,866,173 sites (-9.59%) and 74,094 domains (-0.98%). This continues its consistent downwards trend since December 2018.

Vendor News

• Apache 2.4.55 was released on 17th January 2023. This includes a fix for the CVE-2022-36760 vulnerability. This vulnerability affects configurations using mod_proxy_ajp, a proxy server which forwards requests to an application server using the Apache JServ Protocol (AJP). The vulnerability allowed attackers to smuggle requests to the backend AJP server without being correctly processed by the proxy server.
• AWS announced general availability of its Asia Pacific (Melbourne) region, as well as general availability of Local Zones in Perth and Santiago.
• Microsoft released Azure Load Testing, a service that can test a web application’s resilience to high load.

Continue reading

In the January 2023 survey we received responses from 1,132,268,801 sites across 270,967,923 unique domains, and 12,156,700 web-facing computers. This reflects a gain of 6,894,269 sites, but a loss of 270,799 domains and 77,725 computers.

Within the top million busiest sites, Cloudflare has jumped from 3rd to 1st place — overtaking both Apache and nginx in a single month — its market share increased by 0.56pp and now stands at 21.64%. Along with Apache (21.40%) and nginx (21.20%), the top three web servers power almost two-thirds of the top million busiest sites.

Cloudflare’s journey to the top of the million busiest sites metric began in the February 2021 Web Server Survey, when we started tracking it separately from nginx to reflect Cloudflare’s extensive use of in-house technologies. At the time of this split, Cloudflare was already the third most used within the top million busiest sites, having overtaken Microsoft in March 2019. In September 2022, Cloudflare announced its replacement of nginx with Pingora, a new in-house HTTP proxy.

Cloudflare was founded in 2009 and launched publicly in 2010. Its core service is a content delivery network which sits between end-users and websites, providing increased performance by caching content and using optimised routes across the Internet.

It grew quickly, with its core service available for free and with generous bandwidth limits. In 2014 it launched Universal SSL, providing free access to HTTPS for sites using Cloudflare. The company went public in 2019. It has mitigated some of the largest denial-of-service attacks ever observed on the Internet: most recently a 2.5 Tbps attack targeting a server for the video game Minecraft in 2022.

However, its growth has not been without controversies. Its content neutrality policy has been criticised, with it providing service to cybercriminals and sites containing hate speech and far-right content. In 2017 a buffer overflow in Cloudflare’s code caused private information from a small percentage of requests, such as authentication tokens, to be leaked.

In recent years, Cloudflare’s offering has expanded and it now competes with cloud computing giants Amazon Web Services, Google Cloud and Microsoft Azure in areas such as serverless computing, object storage and managed databases.

Cloudflare has also seen sustained growth in other metrics in January: across all sites, Cloudflare saw the largest growth, with an increase of 9.3 million sites (+9.07%) and 473,405 domains (+1.82%).

Google had the second largest growth amongst all sites, with a gain of 0.33 million sites (+0.63%), 37,483 domains (+1.46%). OpenResty saw a decrease of 419,469 sites (-0.45%) and 571,662 domains (-1.45%), but an increase of 8,608 computers (+4.83%).

nginx saw growth in sites and domains for the first time since August 2022, with an increase of 311,521 sites (+0.11%) and 527,542 domains (+0.79%), but still lost 23,344 computers (-0.49%). Apache saw a decrease across all metrics, losing 1.9 million sites (-0.81%), 900,956 domains (-1.52%) and 51,758 computers (-1.53%).

Vendor News

• Apache Tomcat versions 9.0.70 and 10.1.4 were released in December, which contain bugfixes and documentation improvements.
• LiteSpeed Web Server 6.1 was released on 9th January 2023. The LiteSpeed Web Server 6.1 stream introduces support for the PROXY protocol. This is the first stable release for this version stream; it includes various improvements and fixes since the previous release candidate.
• lighttpd 1.4.68 was released on 3rd January 2022, including strengthened defaults for TLS, various bugfixes and removal of some deprecated features.
• nginx 1.23.3 was released on 13th December 2022, containing bugfixes.
• Oracle opened a new cloud region in Chicago on 15th December 2022.

Continue reading

In the December 2022 survey we received responses from 1,125,374,532 sites across 271,238,722 domains and 12,234,425 web-facing computers. This reflects a loss of 9.7 million sites, 450,421 domains, and 72,200 web-facing computers.

Cloudflare continues its growth, gaining 1.5 million sites (+1.44%) and 309,670 domains (+1.21%). Cloudflare now accounts for 9.14% of sites and 9.57% of domains seen by Netcraft, up by 0.21pp and 0.13pp respectively.

Apache lost 7.4 million sites (-3.03%) and 15,439 web-facing computers (-0.46%). However, it saw a modest gain of 52,986 domains (+0.09%). nginx also saw significant loss of 5.5 million sites (-1.84%), 1.3 million domains (-1.77%), and 82,128 web-facing computers (-1.71%).

The largest percentage growth this month comes from LiteSpeed, with it gaining 1.1 million sites (+2.01%) and 170,873 domains (+2.03%). OpenResty also saw a significant growth of 1.1 million sites (+1.20%) but lost 135,748 domains (-0.34%).

In the top million busiest sites, Cloudflare continues its upward trend - gaining 809 of the top million sites, which increases its market share by 0.08pp to 21.08%. The gap between Cloudflare and the leader Apache, which lost 784 sites and 0.08pp market share, is down to just 0.51pp. In second place, nginx gained a modest 428 sites and 0.04pp market share.

Vendor news

• njs 0.7.9, the scripting language used to extend nginx, was released on 17th November 2022 with various bugfixes.
• Apache Tomcat versions 9.0.69 and 10.1.2 were released on 14th November 2022. Version 8.5.84 was released on 21st November 2022. All of these releases mostly contain bugfixes.
• AWS announced the new Europe (Zurich), Europe (Spain), and Asia Pacific (Hyderabad) Regions, bringing the total number of AWS Regions to 30. It also announced new Local Zones and various new features at AWS re:Invent 2022.

Continue reading

In the November 2022 survey we received responses from 1,135,089,912 sites across 271,689,143 domains and 12,306,625 web-facing computers. This reflects a gain of 4.7 million sites, a loss of 194,480 domains, and a gain of 6,685 web-facing computers.

The biggest growth this month comes from Cloudflare, with it gaining 8.3 million sites (+8.91%) and 490,000 domains (+1.94%). Cloudflare now accounts for 8.93% of all sites seen by Netcraft, up by 0.70pp since October.

nginx saw significant losses in its number of sites and domains this month. It lost 8.5 million sites (-2.75%) and 490,000 domains (-0.66%). However, nginx still holds its strong lead as the most widely used web server software, with a market share of 26.51% sites. Apache has the second largest number of sites, with a market share of 21.40%.

LiteSpeed continues its strong growth — this month it gained 720,000 sites (+1.28%) and 110,000 domains (+1.32%). This brings its market share of sites from 4.97% to 5.01% (+0.04pp).

Following its web-wide trend, Cloudflare has also seen growth in the top million sites. Since October, it gained 1,733 of the top million sites, with its market share increasing from 20.83% to 21.00% (+0.17pp). Meanwhile, both Apache and nginx have lost market share in the top million sites, with Apache down from 21.72% to 21.66% (-0.06pp) and nginx down from 21.36% to 21.21% (-0.15pp).

Vendor news

• nginx 1.23.2 was released on 19th October 2022. This version fixes memory corruption and disclosure vulnerabilities in ngx_http_mp4_module.
• njs 0.7.8, the scripting language used to extend nginx, was released on 25th October 2022, adding many language features and bug fixes.
• Apache Tomcat versions 8.5.83, 9.0.68, 10.0.27, and 10.1.1 were released on 3rd October 2022. Most of the changes are bugfixes.
• Cloudflare announced early access for Privacy Gateway, a proxy allowing HTTP traffic to be securely encapsulated. It is based on the Oblivious HTTP IETF draft.
• AWS announced two new Local Zones: Hamburg, Germany and Warsaw, Poland. These are the first locations in Europe, and add to the now 20 generally available Local Zones.

Continue reading

In the October 2022 survey we received responses from 1,130,378,382 sites across 271,883,623 unique domains, and 12,299,940 web-facing computers. This reflects a gain of 1.13 million sites, 258,363 unique domains, and 47,769 web-facing computers.

Cloudflare saw strong growth, with an increase of 9.44 million (+11.3%) sites resulting in an increase of 0.83pp in market share. It also gained a moderate 0.20 million unique domains (+0.79%), an increase of 0.06pp in market share.

Both nginx and Apache experienced decreases across all metrics. nginx lost 10.07 million (-3.15%) sites, a loss of 0.92pp in market share, 1,201 web-facing computers (-0.16pp market share), and 20,677 unique domains (-0.03pp market share). Apache lost 1.17 million sites (-0.13pp market share), 973 web-facing computers (-0.12pp market share), and 306,055 unique domains (-0.13pp market share).

Within the top million busiest sites, Apache remains the most used web server, but its market share continues its long-term downward trend, decreasing by 0.21pp. nginx also lost 0.12pp, but closes its gap to Apache to 3,622 sites. Cloudflare’s growth continues, with a gain of 0.07pp, bringing its market share to 20.83%. This reduces Apache’s lead to less than 1pp, and Cloudflare is set to overtake both Apache and nginx in the next few months if the trends continue.

OpenResty had the largest increase in web-facing computers, gaining 13,972 (+7.69%). However, it was overtaken by Cloudflare in overall number of sites after a decrease of 1.06 million (-1.14%) sites. It also saw a decrease of 0.26 million (-0.65%) unique domains, losing 0.11pp in market share.

Vendor news

• LiteSpeed Web Server 6.1 RC2 was released on 7th October 2022. This is the latest version in the LSWS 6.1 stream and includes support for the PROXY protocol.
• At Google Cloud Next ’22, Google anounced five new Google Cloud regions in Austria, Greece, Norway, South Africa, and Sweden. It also announced that the new C3 machine series is now available in private preview.
• Cloudflare enabled support for post-quantum hybrid key agreements on all websites and APIs served through it in protocols based on TLS 1.3. These agreements are a hybrid of the classical X25519 and the new post-quantum Kyber512 and Kyber768.
• Microsoft announces Azure Firewall Basic is now available in public preview, providing a more cost-effective network firewall protection aimed at small and medium businesses.
• AWS announced the launch of two new Local Zones in Taipei and Delhi, adding to its existing 16 Local Zones.

Continue reading

In the September 2022 survey we received responses from 1,129,251,133 sites across 271,625,260 unique domains, and 12,252,171 web-facing computers. This month all three metrics have decreased since August, with a loss of 5.82 million sites, 115,512 unique domains and 113,356 web-facing computers.

nginx had the largest increase in web-facing computers, gaining 28,887 (+0.56%) this month. OpenResty had the second largest increase, gaining 6,008 (+3.54%) web-facing computers, along with a gain of 339,813 (+0.86%) domains and 149,893 (+2.35%) active sites. Google showed strong growth in all metrics, with an increase of 5,127 web-facing computers, 211,135 (+8.83%) domains, and 895,225 (+4.71%) active sites.

Within the top million busiest sites, Apache lost 0.21pp of its market share. Despite this, it continues to be the most commonly used web server in the top million. nginx also continued its long-term downward trend, but lost only 0.14pp, further closing the gap between Apache and nginx. The gap now stands at 4,499 sites, a decrease of 13.8% since last month. Meanwhile, Cloudflare’s growth continues, with its market share in the top million increasing by 0.25pp.

Apache also experienced a loss in overall market share, losing 414,684 (-0.94%) active sites and 18,156 computers (-0.49%). The only other developers to lose active sites were Microsoft and nginx, with losses of 58,443 (-1.01%) and (-0.10%) respectively.

LiteSpeed’s market share continues to increase at a steady rate, with it gaining 92,704 (+1.14%) domains and 70,146 (+0.73%) active sites this month.

Vendor news

• njs 0.7.7, the scripting language used to extend nginx, was released on 30 August 2022, with new features and bug fixes.
• Lighttpd 1.4.67 was released, with a variety of bug fixes.
• Amazon AWS opened a new region in the United Arab Emirates. This is the second AWS region in the Middle East, joining the existing region in Bahrain.
• Cloudflare published an article about the development of its purpose built HTTP Proxy, Pingora.

Continue reading