coocoor - Protect nginx server identity

Protect nginx server identity

@Robin on

NGINX web server's default configuration allows to return the type and version that it is running. Hackers keep an eye on these information to lauch the targeted attack against your web server software and version it is using or use an exploit if the version of your software is vulnerable to specific exploit.

Example of the header sent from web server:

Connection: close
Content-Length: 136
Content-Type: text/html; charset=utf-8
Server: nginx/1.6.1
...

Below are some of the configuration examples for nginx web servers that you can do to prevent such information from sending back.

nginx configuration:

On http section of your nginx.conf, add or uncomment the following directive:

server_tokens off;

The above configuration prevents emitting nginx version in error messages and in the "Server" response header field.

To check if the server's response header contains any version information, you can run the following command in your console:

curl -I http://your-website.com

If you are planning to turn off nginx server signature, you will need to edit nginx code and look for the following file name:

src/http/ngx_http_header_filter_module.c

In this file, find the following code that says:

static char ngx_http_server_string[] = "Server: nginx";

static char ngx_http_server_full_string[] = "Server: NGINX_VER"

and replace with:

static char ngx_http_server_string[] = "Server: My Server"

static char ngx_http_server_full_string[] = "Server: My Server"

Save the file and compile the source code. Once you deploy the compiled version of the nginx with above modifications, you won't see nginx default server signature in the HTTP headers.

← back to the blog