HTTP header manipulation

Nuno Magalhães nunomagalhaes at
Sat Feb 21 01:17:41 MSK 2009

I thought i'd use a different thread instead of stealing Paul's...

HTTP-header manipulation is another type of exploit which does relate
to the webserver. On that, how can i prevent nginx from sending the
server name? I.e., given this:

GET / HTTP/1.1
Host: localhost
Accept: text/html

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive

I'd like to remove or spoof that "Server .." line. I've done these
changes on my files:

http {
server_tokens off;

fastcgi_param  SERVER_SOFTWARE    apache; #or whatever string
fastcgi_param  SERVER_NAME        again... some string here;

I'm also fiddling with error pages so they present my error pages,
which also includes "msie_padding on;" in .conf but this is its
default setting anyway.

However, the server name does still go out in the respose header. Am i
missing something in the config? Do i have to reboot/reHUP the server
again? Have to use PHP or something to filter the headers?

Nuno Magalhães

More information about the nginx mailing list