Open in app

Sign in

Write

Sign in

How to remove the Server header in NGINX

Danila Vershinin
2 min readJun 24, 2018

--

Security through obscurity isn’t the holy grail that will make your website secure completely. But it doesn’t mean you shouldn’t use it. As a complementary security measure, it must be used.

NGINX, by default, sends information about its use in the Server HTTP header as well as error pages, e.g.: nginx/1.14.0.

Hide version information

The standard security solution you might be already using in these regards is hiding NGINX version information. In your nginx.conf:

http {
   ...
   server_tokens off;
   ...
}

This only hides the specific version of NGINX from the Server header and error pages.

However, it’s much better to remove or hide the Server header completely.

Hide the Server header

You can easily achieve this by using third party modules.

Using the ngx_security_headers module

If you’re using our RPM repository with NGINX Extras, this module is easy to install with yum install nginx-module-security-headers.

Now you can adjust your nginx.conf like this:

load_module modules/ngx_http_security_headers_module.so;

http {
    ...
    security_headers on;
    ...
}

Using the Headers More module

If you’re using our RPM repository with NGINX Extras, it’s easy to install the module with yum install nginx-module-headers-more.

Now you can adjust your nginx.conf like this:

load_module modules/ngx_http_headers_more_filter_module.so;

http {
    ...
    more_clear_headers Server;
    ...
}

While this a great solution, you might notice that the default error pages by NGINX still output the “nginx” word in them.

Hide the use of NGINX altogether

So you may want to adjust NGINX sources to prevent output of information disclosure for your use of NGINX software. You’ll have to recompile nginx to achieve this.

sed -i 's@"nginx/"@"-/"@g' src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' src/http/v2/ngx_http_v2_filter_module.c
sed -i 's@<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c

Citrus Stack server users already have secure nginx version, which doesn’t need this.

Header
Nginx
Security
Psychology

--

--

Danila Vershinin

Written by Danila Vershinin

77 Followers

Performance Oriented DevOp

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams