diff --git a/ostp-client/src/transport/xhttp.rs b/ostp-client/src/transport/xhttp.rs
index 0fd4ecf..9aad667 100644
--- a/ostp-client/src/transport/xhttp.rs
+++ b/ostp-client/src/transport/xhttp.rs
@@ -125,9 +125,12 @@ pub async fn connect_xhttp(
             if buf[..header_len].windows(4).any(|w| w == b"\r\n\r\n") { break; }
         }
         let resp = String::from_utf8_lossy(&buf[..header_len]);
-        if !resp.contains("200 OK") {
+        if !resp.starts_with("HTTP/1.1 200 OK") {
             anyhow::bail!("xHTTP handshake failed: expected 200 OK, got: {}", resp.lines().next().unwrap_or(""));
         }
+        if !resp.to_ascii_lowercase().contains("x-ostp-server:") {
+            anyhow::bail!("xHTTP handshake failed: endpoint is not an OSTP server (missing X-Ostp-Server header)");
+        }
         
         // Extract leftover payload if any
         let headers_end = buf[..header_len].windows(4).position(|w| w == b"\r\n\r\n").unwrap() + 4;
@@ -150,9 +153,12 @@ pub async fn connect_xhttp(
             if buf[..header_len].windows(4).any(|w| w == b"\r\n\r\n") { break; }
         }
         let resp = String::from_utf8_lossy(&buf[..header_len]);
-        if !resp.contains("200 OK") {
+        if !resp.starts_with("HTTP/1.1 200 OK") {
             anyhow::bail!("xHTTP handshake failed: expected 200 OK, got: {}", resp.lines().next().unwrap_or(""));
         }
+        if !resp.to_ascii_lowercase().contains("x-ostp-server:") {
+            anyhow::bail!("xHTTP handshake failed: endpoint is not an OSTP server (missing X-Ostp-Server header)");
+        }
         
         let headers_end = buf[..header_len].windows(4).position(|w| w == b"\r\n\r\n").unwrap() + 4;
         let leftover = buf[headers_end..header_len].to_vec();
diff --git a/ostp-server/src/transport/uot.rs b/ostp-server/src/transport/uot.rs
index 04f05a1..38173ab 100644
--- a/ostp-server/src/transport/uot.rs
+++ b/ostp-server/src/transport/uot.rs
@@ -108,7 +108,7 @@ pub async fn handle_tcp_connection(
     }
 
     // Reply 200 OK
-    let response = "HTTP/1.1 200 OK\r\nContent-Length: 99999999999\r\nConnection: keep-alive\r\n\r\n";
+    let response = "HTTP/1.1 200 OK\r\nX-Ostp-Server: 1\r\nContent-Length: 99999999999\r\nConnection: keep-alive\r\n\r\n";
     stream.write_all(response.as_bytes()).await?;
 
     info!("UoT client authenticated from {}", peer_addr);