By default, Nginx sends the version number in the HTTP response. Hackers can use this information to try and exploit any known vulnerabilities in Nginx, especially if you are running a version with known vulnerabilities. Security wise, it’s a good practice to not reveal versions numbers of the HTTP server.
To check for the HTTP response headers sent by Nginx, use the curl
command. Change the URL http://foo-web-server.com to your own HTTP server address instead.
1 2 |
$ curl -Iis http://foo-web-server.com | grep "^Server" Server: nginx/1.4.6 (Ubuntu) |
There are quite a number of ways to disable the version number header. One of the options is to modify the source code of Nginx and build the binaries from the modified source. But adopting this method will mean that you can no longer use the package manager (apt-get, yum, pkgadd, etc) to update Nginx. So, we will instead look at possible ways to modify the version header with just configuration file changes. The methods, mainly two of them, are discussed below.
Disable Nginx Version Number – Method 1
The first method to disable the version header, is to set “server_tokens
” parameter to off in nginx.conf
file under the http
section. The default value for “server_tokens
” is on.
1 2 3 4 5 6 7 8 9 |
... http { ... server_tokens off; ... } ... |
Disable Nginx Version Number – Method 2
The second method requires the “nginx-extras
” package to be installed. Install the package if it’s not been installed yet; by using apt-get
, yum
or the relevant package manager for the system in question.
1 |
# apt-get install nginx-extras |
1 |
# yum install nginx-extras |
After installing the package, edit the Nginx site configuration file under /etc/nginx/sites-available
and add the “more_set_headers
” parameter within the server
section.
1 2 3 4 5 6 7 8 9 |
... server { ... more_set_headers 'Server: nginx'; ... } ... |
You can also choose to change the server name from “nginx
” to an arbitrary value – to confuse the potential hackers even further.
Restart Nginx with New Configuration
Once the configuration files have been changed, restart the nginx process.
1 |
# service nginx restart |
Check the HTTP headers again and the Nginx version number should no longer be revealed.
1 2 |
$ curl -Iis http://foo-web-server.com | grep "^Server" Server: nginx |
If you notice, now the HTTP “Server
” header neither contains the version nor the Unix / Linux distribution information.