Disable Nginx Version Number in HTTP Headers

By default, Nginx sends the version number in the HTTP response. Hackers can use this information to try and exploit any known vulnerabilities in Nginx, especially if you are running a version with known vulnerabilities. Security wise, it’s a good practice to not reveal versions numbers of the HTTP server.

To check for the HTTP response headers sent by Nginx, use the curl command. Change the URL http://foo-web-server.com to your own HTTP server address instead.

$ curl -Iis http://foo-web-server.com | grep "^Server"
Server: nginx/1.4.6 (Ubuntu)

There are quite a number of ways to disable the version number header. One of the options is to modify the source code of Nginx and build the binaries from the modified source. But adopting this method will mean that you can no longer use the package manager (apt-get, yum, pkgadd, etc) to update Nginx. So, we will instead look at possible ways to modify the version header with just configuration file changes. The methods, mainly two of them, are discussed below.

Disable Nginx Version Number – Method 1

The first method to disable the version header, is to set “server_tokens” parameter to off in nginx.conf file under the http section. The default value for “server_tokens” is on.

Disable Nginx Version Number – Method 2

The second method requires the “nginx-extras” package to be installed. Install the package if it’s not been installed yet; by using apt-get, yum or the relevant package manager for the system in question.

# apt-get install nginx-extras
# yum install nginx-extras

After installing the package, edit the Nginx site configuration file under /etc/nginx/sites-available and add the “more_set_headers” parameter within the server section.

You can also choose to change the server name from “nginx” to an arbitrary value – to confuse the potential hackers even further.

Restart Nginx with New Configuration

Once the configuration files have been changed, restart the nginx process.

# service nginx restart

Check the HTTP headers again and the Nginx version number should no longer be revealed.

$ curl -Iis http://foo-web-server.com | grep "^Server"
Server: nginx

If you notice, now the HTTP “Server” header neither contains the version nor the Unix / Linux distribution information.

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, perl, php, python, java, javascript, nodejs, angular, react); plays_on(xbox, ps4); linux_desktop_user(true); }