HTTP header manipulation

Maxim Dounin mdounin at mdounin.ru
Sat Feb 21 03:13:09 MSK 2009


Hello!

On Fri, Feb 20, 2009 at 10:17:41PM +0000, Nuno Magalhães wrote:

> I thought i'd use a different thread instead of stealing Paul's...
> 
> HTTP-header manipulation is another type of exploit which does relate
> to the webserver. On that, how can i prevent nginx from sending the
> server name? I.e., given this:
> 
> [...]
> GET / HTTP/1.1
> Host: localhost
> Accept: text/html
> 
> HTTP/1.1 200 OK
> Server: nginx
> Date: Fri, 20 Feb 2009 22:08:31 GMT
> Content-Type: text/html; charset=utf8
> Transfer-Encoding: chunked
> Connection: keep-alive
> 
> I'd like to remove or spoof that "Server .." line. I've done these
> changes on my files:

No way.  Switching off server_tokens is the only thing you may do 
without nginx source code modification.

Personally I think that even switching off server_tokens is wrong 
way to go.  It doesn't give you extra security but instead false 
sense of it - at the cost of much more complicated debugging and 
defeating your own security analysis.  It's much better to keep 
your software up-to-date instead.

BTW, charset in the example above is wrong.  There is no "utf8" 
charset, it's called "utf-8".  Full list of registered character 
sets can be found here:

http://www.iana.org/assignments/character-sets.

> /etc/nginx/nginx.conf
> [...]
> http {
> [...]
> server_tokens off;
> [...]
> 
> /etc/nginx/fastcgi_params
> [...]
> fastcgi_param  SERVER_SOFTWARE    apache; #or whatever string
> fastcgi_param  SERVER_NAME        again... some string here;

You don't trust even your own fastcgi apps?  Funny. :)

Maxim Dounin





More information about the nginx mailing list