đź“… Updated: January 28, 2026 (Originally published: June 24, 2018)
Security through obscurity isn’t the holy grail that will make your website secure completely. But it doesn’t mean you shouldn’t use it. As a complementary security measure, it must be used.
NGINX, by default, sends information about its use in the Server HTTP header as well as error pages, e.g.: nginx/1.26.2.
To confirm the currently emitted header, run in your terminal:
curl -IsL https://example.com/ | grep -i server
Hide Version Information
The standard security solution is hiding NGINX version information. In your nginx.conf:
http {
server_tokens off;
}
This hides the specific version from the Server header and error pages. The header becomes:
Server: nginx
However, it’s much better to remove the Server header completely.
Remove the Server Header Completely
You can achieve this using third-party modules from the GetPageSpeed repository.
Using ngx_security_headers Module
The security-headers module provides a simple directive to hide the server token completely:
For Rocky Linux, AlmaLinux, CentOS 8/9, or Fedora:
sudo dnf install -y https://extras.getpagespeed.com/release-latest.rpm
sudo dnf install -y nginx-module-security-headers
For CentOS/RHEL 7:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-security-headers
Note: An active NGINX Extras subscription is required for RHEL-based systems. Fedora users have free access.
Enable the module and configure it in your nginx.conf:
load_module modules/ngx_http_security_headers_module.so;
http {
hide_server_tokens on;
}
The Server header is completely eliminated from responses.
Using Headers-More Module
The headers-more module provides flexible header manipulation:
For Rocky Linux, AlmaLinux, CentOS 8/9, or Fedora:
sudo dnf install -y https://extras.getpagespeed.com/release-latest.rpm
sudo dnf install -y nginx-module-headers-more
For CentOS/RHEL 7:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-headers-more
Configure in your nginx.conf:
load_module modules/ngx_http_headers_more_filter_module.so;
http {
more_clear_headers Server;
}
The Server header will be completely removed from responses.
Hide NGINX Presence Entirely
Removing the Server header is good, but NGINX’s default error pages still output the “nginx” word.
Option 1: Use NGINX-MOD (Recommended)
NGINX-MOD is an enhanced NGINX build that supports complete hiding:
server_tokens none;
Only NGINX-MOD supports the none value for the server_tokens directive. This removes “nginx” from both the header and error pages.
Option 2: Custom Error Pages
Create custom error pages that don’t mention NGINX:
server {
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/error_pages;
internal;
}
}
Option 3: Source Code Modification (Not Recommended)
You can hide NGINX presence by recompiling from source (discouraged – see common pitfalls).
Verify the Server Header Is Removed
Test your configuration:
curl -IsL https://example.com/ | grep -i server
If configured correctly, there should be no output (no Server header present).
Additional Security Headers
While removing the Server header, consider adding security headers to improve your site’s security posture. See our guides on:
- NGINX HSTS configuration for transport security
- NGINX TLS 1.3 hardening for SSL/TLS configuration