Security through obscurity isn’t the holy grail that will make your website secure completely. But it doesn’t mean you shouldn’t use it. As a complementary security measure, it must be used.
NGINX, by default, sends information about its use in the Server HTTP header as well as error pages, e.g.: nginx/1.16.1.
To confirm the currently emitted header, you may run in your terminal:
curl -IsL https://example.com/ | grep -i server
Hide version information
The standard security solution you might be already using in these regards is hiding NGINX version information. In your nginx.conf:
http {
...
server_tokens off;
...
}
This only hides the specific version of NGINX from the Server header and error pages.
The header becomes:
Server: nginx
However, it’s much better to remove the Server header completely.
Hide the Server header
You can easily achieve this by using third-party modules.
Using ngx_security_headers module
Using our RPM repository for NGINX (requires subscription), it’s easy to install the module with:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-security-headers
Now you can adjust your nginx.conf like this:
load_module modules/ngx_http_security_headers_module.so;
http {
...
hide_server_tokens on;
...
}
As a result, the Server header is completely eliminated from the responses.
Using Headers More module
Using our RPM repository for NGINX (requires subscription), this module is easy to install with:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-headers-more
Now you can adjust your nginx.conf like this:
load_module modules/ngx_http_headers_more_filter_module.so;
http {
...
more_clear_headers Server;
...
}
Likewise, the Server header will be completely gone from the responses.
Bonus tip: Hide the use of NGINX altogether
Hiding the Server header is good, but you might notice that the default error pages by NGINX still output the “nginx” word in them.
Option 1. Use NGINX-MOD
An easy way to complete hiding of NGINX presence on the server is using NGINX-MOD.
Simply specify the following in the configuration:
server_tokens none;
Only NGINX-MOD supports the none value for the server_tokens directive.
Option 2. Via source code change
Alternatively, you can hide the NGINX presence by recompiling it from the source (highly discouraged, see common pitfalls).
You need to adjust NGINX sources to prevent the information disclosure of NGINX software.
sed -i 's@"nginx/"@"-/"@g' src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' src/http/v2/ngx_http_v2_filter_module.c
sed -i 's@<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c
Then recompile NGINX.
Option 3. Via GetPageSpeed servers
GetPageSpeed provisioned servers or any servers that we do monthly maintenance for, already hide the Server header for you.
The Citrus Stack is being used on such servers. That stack includes NGINX-MOD as the web server of choice.