HTTP header manipulation

Nuno Magalhães nunomagalhaes at
Sat Feb 21 03:48:50 MSK 2009

> No way.  Switching off server_tokens is the only thing you may do
> without nginx source code modification.

However "nginx" does still appear in a 403 (i'm in the process of
editing the error pages). Eventually i added "add_headers Server
weee;" to my conf, but that didn't have any effect, even with a 200

> Personally I think that even switching off server_tokens is wrong
> way to go.  It doesn't give you extra security but instead false
> sense of it

It doesn't secure anything per se, but it's harder for people to
figure out which webserver is running and thus harder to find exploits
for said server.

> BTW, charset in the example above is wrong.  There is no "utf8"
> charset, it's called "utf-8".


> You don't trust even your own fastcgi apps?  Funny. :)

Being an internal service? Meh...

Nuno Magalhães

More information about the nginx mailing list