HTTP header manipulation
nunomagalhaes at eu.ipp.pt
Sat Feb 21 01:17:41 MSK 2009
I thought i'd use a different thread instead of stealing Paul's...
HTTP-header manipulation is another type of exploit which does relate
to the webserver. On that, how can i prevent nginx from sending the
server name? I.e., given this:
GET / HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
I'd like to remove or spoof that "Server .." line. I've done these
changes on my files:
fastcgi_param SERVER_SOFTWARE apache; #or whatever string
fastcgi_param SERVER_NAME again... some string here;
I'm also fiddling with error pages so they present my error pages,
which also includes "msie_padding on;" in .conf but this is its
default setting anyway.
However, the server name does still go out in the respose header. Am i
missing something in the config? Do i have to reboot/reHUP the server
again? Have to use PHP or something to filter the headers?
More information about the nginx