Hide Nginx version from the HTTP response headers
Why sending your version number is bad
When you sent your Nginx version number with every request you are basically telling what software your server is running on. This can be a potentially dangerous thing to do because hackers can examine the known vulnerabilities of your Nginx version so they can exploit those vulnerabilities. If it’s an internal server this may not be a problem. but when it’s a public server which everyone can get resources from it’s quite dangerous. So the best thing is to hide your Nginx version number from the HTTP response headers. If you want to completely change your server attribute for more security I’ve written another article that here. Sample HTTP Response Header with version number:
HTTP/1.1 200 OK
Server: nginx/1.7.7 (Ubuntu)
Date: Wed, 05 Nov 2014 17:15:14 GMTHiding nginx verion number from response headers
Configure the /etc/nginx/nginx.conf configuration file to globally apply this to all the resources sent from your nginx server.
sudo nano /etc/nginx/nginx.confThe server_tokens attribute can be used either in http {}, server{} or location{} directives. Here is an example using the http {} block.
http {
...
# Remove server tokens from HTTP response header
server_tokens off;
...
}Save the configruation file and reload or restart nginx web server.
service nginx restartWe get the header information using the curl command.
curl -I http://www.yoursite.comExample output.
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Nov 2014 17:18:14 GMTYou can see that the nginx version is no longer sent with the HTTP response header.
