NGINX / Security / Server Setup

How to remove the Server header in NGINX

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

Security through obscurity isn’t the holy grail that will make your website secure completely. But it doesn’t mean you shouldn’t use it. As a complementary security measure, it must be used.

NGINX, by default, sends information about its use in the Server HTTP header as well as error pages, e.g.: nginx/1.16.1.

To confirm the currently emitted header, you may run in your terminal:

curl -IsL https://example.com/ | grep -i server

Hide version information

The standard security solution you might be already using in these regards is hiding NGINX version information. In your nginx.conf:

http {
   ...
   server_tokens off;
   ...
}

This only hides the specific version of NGINX from the Server header and error pages.
The header becomes:

Server: nginx

However, it’s much better to remove the Server header completely.

Hide the Server header

You can easily achieve this by using third-party modules.

Using ngx_security_headers module

If you’re using our RPM repository for NGINX, it’s easy to install the module with:

sudo yum -y install nginx-module-security-headers

Now you can adjust your nginx.conf like this:

load_module modules/ngx_http_security_headers_module.so;

http {
    ...
    hide_server_tokens on;
    ...
}

As a result, the Server header is completely eliminated from the responses.

Using Headers More module

If you’re using our RPM repository in NGINX, this module is easy to install the module with:

sudo yum -y install nginx-module-headers-more

Now you can adjust your nginx.conf like this:

load_module modules/ngx_http_headers_more_filter_module.so;

http {
    ...
    more_clear_headers Server;
    ...
}

Likewise, the Server header will be completely gone from the responses.

Bonus tip: Hide use of NGINX altogether

Hiding the Server header is good, but you might notice that the default error pages by NGINX still output the “nginx” word in them.

It is possible to achieve this by recompiling NGINX from the source.

You need to adjust NGINX sources to prevent the information disclosure of NGINX software.

sed -i 's@"nginx/"@"-/"@g' src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' src/http/v2/ngx_http_v2_filter_module.c
sed -i 's@<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c

Then recompile NGINX.

Citrus Stack server users already have a secure NGINX version, which doesn’t need this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.