Skip to main content

NGINX / Security / Server Setup

How to Remove the Server Header in NGINX

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

📅 Updated: January 28, 2026 (Originally published: June 24, 2018)

Security through obscurity isn’t the holy grail that will make your website secure completely. But it doesn’t mean you shouldn’t use it. As a complementary security measure, it must be used.

🛠️ Related Tools

NGINX, by default, sends information about its use in the Server HTTP header as well as error pages, e.g.: nginx/1.26.2.

To confirm the currently emitted header, run in your terminal:

curl -IsL https://example.com/ | grep -i server

Hide Version Information

The standard security solution is hiding NGINX version information. In your nginx.conf:

http {
    server_tokens off;
}

This hides the specific version from the Server header and error pages. The header becomes:

Server: nginx

However, it’s much better to remove the Server header completely.

Remove the Server Header Completely

You can achieve this using third-party modules from the GetPageSpeed repository.

Using ngx_security_headers Module

The security-headers module provides a simple directive to hide the server token completely:

For Rocky Linux, AlmaLinux, CentOS 8/9, or Fedora:

sudo dnf install -y https://extras.getpagespeed.com/release-latest.rpm
sudo dnf install -y nginx-module-security-headers

For CentOS/RHEL 7:

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-security-headers

Note: An active NGINX Extras subscription is required for RHEL-based systems. Fedora users have free access.

Enable the module and configure it in your nginx.conf:

load_module modules/ngx_http_security_headers_module.so;

http {
    hide_server_tokens on;
}

The Server header is completely eliminated from responses.

Using Headers-More Module

The headers-more module provides flexible header manipulation:

For Rocky Linux, AlmaLinux, CentOS 8/9, or Fedora:

sudo dnf install -y https://extras.getpagespeed.com/release-latest.rpm
sudo dnf install -y nginx-module-headers-more

For CentOS/RHEL 7:

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-headers-more

Configure in your nginx.conf:

load_module modules/ngx_http_headers_more_filter_module.so;

http {
    more_clear_headers Server;
}

The Server header will be completely removed from responses.

Hide NGINX Presence Entirely

Removing the Server header is good, but NGINX’s default error pages still output the “nginx” word.

NGINX-MOD is an enhanced NGINX build that supports complete hiding:

server_tokens none;

Only NGINX-MOD supports the none value for the server_tokens directive. This removes “nginx” from both the header and error pages.

Option 2: Custom Error Pages

Create custom error pages that don’t mention NGINX:

server {
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /var/www/error_pages;
        internal;
    }
}

You can hide NGINX presence by recompiling from source (discouraged – see common pitfalls).

Verify the Server Header Is Removed

Test your configuration:

curl -IsL https://example.com/ | grep -i server

If configured correctly, there should be no output (no Server header present).

Additional Security Headers

While removing the Server header, consider adding security headers to improve your site’s security posture. See our guides on:

D

Danila Vershinin

Founder & Lead Engineer

NGINX configuration and optimizationLinux system administrationWeb performance engineering

10+ years NGINX experience • Maintainer of GetPageSpeed RPM repository • Contributor to open-source NGINX modules

9 thoughts on “How to Remove the Server Header in NGINX

  1. dzam

    I am not a server admin and do not have access to nginx.conf, can something similar be done in php.ini?

    Reply

  2. Bragi Austfjörð

    Can I use this for plesk centos 8

    Reply

    • Danila Vershinin

      I think every article here can’t be updated to account for Plesk (mostly the instructions are for panel-less setups),
      but Plesk modules deserve their dedicated page, which I have set up here.

      From there I hope it will be clear how to install/enable NGINX modules for Plesk, for example:

      sudo yum -y install sw-nginx-module-security-headers
sudo plesk sbin nginx_modules_ctl --enable security-headers

      Essentially for every tutorial on the website about NGINX modules, prefix NGINX module package name with sw- (that gives you the name of Plesk-compatible NGINX module package), and use the Plesk way of enabling the module instead of adding load_module ... to nginx.conf.

      Note that not every NGINX module from the base repository is available for Plesk, but most are.

      Reply

      • Bragi Austfjörð

        Thanks for your reply. I really appreciate that. Yeah I agree not all blog post can work for plesk hehe but I had to ask 🙂

        Reply

      • bragiaustfjordBragi Austfjörð

        I tried and I have this error.

        Problem: problem with installed package sw-nginx-compat-1.18.0.2-1.el8.gps.x86_64
  - package sw-nginx-compat-1.18.0.2-1.el8.gps.x86_64 requires sw-nginx = 1.18.0.2, but none of the providers can be installed
  - package sw-nginx-module-security-headers-1:1.18.0.0.0.9-3.el8.pl18.gps.x86_64 requires sw-nginx = 1.18.0, but none of the providers can be installed
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.0+t201202.1945.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.0+t200720.1125.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.0+t201202.1945.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.1+t200807.1333.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.0+t201202.1945.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.2+t200817.1747.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.0+t201202.1945.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.3+t200825.2156.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.0+t201202.1945.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.30.0+t200826.0942.x86_64
  - cannot install the best candidate for the job
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.1+t201211.1937.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.0+t200720.1125.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.1+t201211.1937.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.1+t200807.1333.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.1+t201211.1937.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.2+t200817.1747.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.1+t201211.1937.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.3+t200825.2156.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.1+t201211.1937.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.30.0+t200826.0942.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.0+t200720.1125.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.1+t200807.1333.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.2+t200817.1747.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.29.3+t200825.2156.x86_64
  - cannot install both sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64 and sw-nginx-1.18.0-2.centos.8+p18.0.30.0+t200826.0942.x86_64
  - cannot install both sw-nginx-1.18.0-2.centos.8+p18.0.29.0+t200720.1125.x86_64 and sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64
  - cannot install both sw-nginx-1.18.0-2.centos.8+p18.0.29.1+t200807.1333.x86_64 and sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64
  - cannot install both sw-nginx-1.18.0-2.centos.8+p18.0.29.2+t200817.1747.x86_64 and sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64
  - cannot install both sw-nginx-1.18.0-2.centos.8+p18.0.29.3+t200825.2156.x86_64 and sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64
  - cannot install both sw-nginx-1.18.0-2.centos.8+p18.0.30.0+t200826.0942.x86_64 and sw-nginx-1.18.0.2-2.centos.8+p18.0.32.2+t201217.1925.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
        Reply

  3. Anonymous

    Hi Danila,

    I tried to run:
    sudo yum -y install nginx-module-security-headers
    or
    sudo yum -y install nginx-module-headers-more

    but both resulted to:
    No package nginx-module-security-headers available.
    No package nginx-module-headers-more available.

    respectively. I’m using RHEL 7, do I have to install before this?

    Thanks.

    Reply

    • Danila Vershinin

      For packaged installation, you need to be an active commercial subscriber, and follow-through repository setup, which is essentially:

      sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.