HTTP header manipulation

Merlin merlin at
Tue Feb 24 05:44:25 MSK 2009

On Fri, Feb 20, 2009 at 4:48 PM, Nuno Magalhães <nunomagalhaes at>wrote:

> > Personally I think that even switching off server_tokens is wrong
> > way to go.  It doesn't give you extra security but instead false
> > sense of it
> It doesn't secure anything per se, but it's harder for people to
> figure out which webserver is running and thus harder to find exploits
> for said server.

HTTP fingerprinting is a very low wall.  If someone seriously capable is
attempting to exploit you, spoofing or removing your server string won't
matter in the least as they will employ fingerprinting techniques.  I'm just
gonna leave this here...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list