Hiawatha is an open source webserver with a focus on security. I started Hiawatha in January 2002. Before that time, I had used several webservers, but I didn't like them. They had unlogical, almost cryptic configuration syntax and none of them gave me a good feeling about their security and robustness. So, I decided it was time to write my own webserver. I never thought that my webserver would become what it is today, but I enjoyed working on it and liked to have my own open source project. In the years that followed, Hiawatha became a fully functional webserver.

Version history

Like every new project, Hiawatha started very small. All the nice features Hiawatha has today, weren't available in the beginning. To give you an idea about how Hiawatha grew up, here is an overview of the most important Hiawatha releases and their best new features.

  • 1.0: September 2002, a basic but functional webserver.
  • 2.0: March 2004, use of multithreading instead of forking.
  • 3.0: September 2004, SSL support.
  • 4.0: December 2005, a CGI-wrapper for improved security was included.
  • 5.0: October 2006, FastCGI support for improved CGI speed.
  • 5.12: August 2007. URL rewriting support.
  • 6.0: October 2007, IPv6 support.
  • 6.6: April 2008. XSLT support.
  • 7.0: February 2010, the Hiawatha Monitor for remote webserver monitoring.
  • 8.0: January 2012, Autoconf replaced with CMake and OpenSSL replaced with mbed TLS.
  • 8.3: May 2012, reverse proxy added.
  • 9.0: March 2013, usage of a thread pool instead of forking threads on the fly.
  • 10.0: November 2015, significant changes in configuration syntax.
  • 11.0: July 2021, mbed TLS library updated to v3.0.0.

For a list of the most important capabilities of the Hiawatha webserver, take a look at this feature list.

Project goals

Because of my great interest in IT security, I paid extra attention to security while I was working on Hiawatha. Beside all the default security measures you can expect from a modern webserver, there are a lot of security features in Hiawatha you won't find in any other webserver. Many of them started as an experiment, but in the meantime, most of them have proven to be very useful.

A second thing I wanted my webserver to be is easy-to-use. This resulted in a readable configuration syntax and not having to be a HTTP or CGI expert in order to get Hiawatha running.

I strongly believe that many features you find in several other webservers, shouldn't be placed inside a webserver but in a web application. They make them big and bloated. Hiawatha only has the features necessary to do what a webserver has to do; serving web applications. Hiawatha's small size makes it therefor perfect for embedded systems and older hardware.


Hiawatha started as a webserver for my own Debian Linux server, but in the meantime it has become available on many operating systems. Compile and run tests of Hiawatha have successfully been done (by myself and others) on Debian, Ubuntu, Gentoo, Fedora, Slackware, FreeBSD, OpenBSD, NetBSD, MacOS X and Cygwin. Because of the use of a platform-independent build system, it's very likely that Hiawatha will compile and run on other Unix-clones as well.


What other people say about Hiawatha:

  • Hugo! Thank you very much for your work on Hiawatha, and on the Hiawatha Monitor. I love your webserver. I can't honestly say I'm a "serious" user, but I'm working on my portfolio website as I near the end of college and I have very much enjoyed working with Hiawatha over nginx, apache, and friends on my little VPS. Hiawatha's configuration syntax is the simplest, and its security settings are obvious. It was easier to get a Qualsys SSL grade of A with Hiawatha than it was to get a grade of C using Apache. It was easier to set up Hiawatha to run a ReverseProxy than it was to enable Reverse Proxy ability in the first place using Apache. And every time you publish Hiawatha speed or security statistics, I cannot help but feel like I am making the right choice. I haven't needed the expansive and unintelligible documentation and StackOverflow resources that Apache and Nginx have -- because Hiawatha doesn't need it, it's too easy to begin with! And besides, why get all quagmired in various security settings when Hiawatha has good ones by default? :) So, thank you, because I suspect you don't get to hear those words enough.
    Someone via Twitter
  • I am using the Hiawatha web server to host content at www.linuxprogramming.ca, and have found it to be very secure and easy to use --- all in addition to it being fast. I have studied the source code to Hiawatha, and have found it to be very well written. The documentation and provided configuration files are also very well written and easy to understand. I particularly like how the all of the configuration options are outlined in a single manual page (with references to other manual pages, as required). This has allowed me to have a fairly comprehensive understanding of the server in a short period of time, as well as enabling me to make good technical decisions concerning what technology stack and how to implement it.
  • Designed around security and performance, this web server is probably the best that's available for both high-end and low-end servers. ... It runs absolutely flawlessly. Getting it up and running was cake, I just really wish I found out about it sooner!
  • I’ve been using Hiawatha as my primary web server for about four years, and in that timeframe I’ve never seen a single crash, out of memory error, or other undesirable behavior. It’s also blocked literally millions of attacks and attempted exploits, always been fast and responsive, and to date I have never run into a single limitation which caused me to regret that decision.

    Hiawatha is a fast, efficient, and very secure web server which provides a high degree of flexibility and ease of use. If you haven’t tried Hiawatha, you should really give it a spin.
  • So 'tis the season to setup a new e-commerce site, or so it seems. In the last week, I've setup two separate Magento instances for two different friends in the industry. Unfortunately, it was written specifically against Apache, and therefore relies heavily on Apache-specific behavior (lots of rewrites, .htaccess hacks, direct interaction with certain Apache modules via PHP, etc). Thus, it frankly scales like crap without a decent load balancer, it's trivial to DoS, and requires many hours of tuning and tinkering to be ready for real customer traffic.

    Thankfully, in the wake of Heartbleed, people have been much more receptive to looking beyond "safe" technologies like Apache and OpenSSL, thus leaving the door open to alternative stacks.

    With Hiawatha's new-ish ReverseProxy functionality, I was able to support 10x the traffic of vanilla Apache, 30% more simultaneous TLS handshakes, and make it completely immune to Slowloris/slowheaders style DoS (mirroring the results you published last month). I was also able to make Apache's memory footprint much more predictable, forcing it to spawn a specific number of static forks instead of allowing the normal balloon behavior which fragments memory and eats precious CPU time. So, while it's not quite as fast as Hiawatha + php5-fpm would be, it's not too far off. Add to this Hiawatha's ability to cache up to 100M of proxied static content, and it's lower-latency than vanilla Apache as well, giving users a snappier, more professional feeling interface.
  • could there be a more secure, efficient, high-performance, and easy-to-use web server that seems born to run on embedded systems?
  • We decided that we could do better than our previous webserver and set about benchmarking everything out there. After comprehensive testing (and I do mean comprehensive - we optimised and tested them all!), we found Hiawatha to be superior in terms of configurability, speed, stability (no memory leaks! No crashes!), support and security. It now forms an integral part of our and our client's infrastructure and is serving pages at around 150% of the capacity of our previous webserver on the same hardware.
  • I started using it at my work place yesterday and today I'm already getting too much attention from colleagues. They've all attested to the speed with which they download; it's cool to note that its memory consumption and footprint are small.
    A software developer at the International Institute of Tropical Agriculture
  • Apache's security approach is terrible (ha.ckers.org/blog/20090617/slowloris-http-dos), so I started to search for an alternative. Wikipedia pointed me to Hiawatha. I was testing it for months, and currently it serves all our customer websites. The support is very professional, questions on the forum are answered within minutes! Configuration is a breeze, with unique security options. You just have to try it, to realize that setting up a secure webserver must not be a rocket science.
    Jan Harustiak, system administrator at Solexperts AG
  • I came across Hiawatha from the Puppy linux community. After much testing, I found that Hiawatha is a rock solid, secure, fast and lightweight server. I have been a fan of Hiawatha ever since. We were having huge bandwidth usage on Puppylinux.ca. Recently, we even crossed 1000 GB of bandwidth usage a day. There were lot of abusers and robots that were causing this spike. We switched our server to Hiawatha and we are having only around 40GB bandwidth usage a day which is way below the past usage. The ban options in Hiawatha have helped us immensely. I also find Hiawatha very easy to setup and configure. This is my server of choice. To add on to all this, Hugo who created Hiawatha has been very helpful in answering any questions we had. He continues to improve Hiawatha with every version. Thanks a lot for this great web server. Please keep developing this.
    Prithish Mathews, puppylinux.ca administrator and developer of Macpup.
  • In January 2002, Hugo decided to develop his own webserver. This led to Hiawatha, which, in contrast to competitors, has several interesting security features. With its excellent performance and limited size of 600kb[1], it's ideal for low-end and embedded machines.
    Tim Schürmann, German author and editor
  • The difference between an Apache and a Hiawatha configuration file is like the difference between Sendmail's freebsd.cf and Postfix's main.cf.
    ...I certainly appreciate its ease of installation and configuration.
    Dru Lavigne, Canadian network and systems administrator, IT instructor, author and international speaker
  • [1] Hiawatha's binary was about 130kb in size at that time. It looks like Tim forgot to strip the binary.