Hide Nginx version from the HTTP response headers

Why sending your version number is bad

When you sent your Nginx version number with every request you are basically telling what software your server is running on. This can be a potentially dangerous thing to do because hackers can examine the known vulnerabilities of your Nginx version so they can exploit those vulnerabilities. If it’s an internal server this may not be a problem. but when it’s a public server which everyone can get resources from it’s quite dangerous. So the best thing is to hide your Nginx version number from the HTTP response headers. If you want to completely change your server attribute for more security I’ve written another article that here.Sample HTTP Response Header with version number:

HTTP/1.1 200 OK
Server: nginx/1.7.7 (Ubuntu)
Date: Wed, 05 Nov 2014 17:15:14 GMT

Hiding nginx verion number from response headers

Configure the /etc/nginx/nginx.conf configuration file to globally apply this to all the resources sent from your nginx server.

sudo nano /etc/nginx/nginx.conf

The server_tokens attribute can be used either in http {}, server{} or location{} directives. Here is an example using the http {} block.

http {
        ...
        # Remove server tokens from HTTP response header
        server_tokens off;
        ...
}

Save the configruation file and reload or restart nginx web server.

service nginx restart

We get the header information using the curl command.

curl -I http://www.yoursite.com

Example output.

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Nov 2014 17:18:14 GMT

You can see that the nginx version is no longer sent with the HTTP response header.

You may also like...