Hide HTTP headers in nginx
Francis Daly
francis at daoine.org
Fri Nov 13 11:17:22 UTC 2020
On Fri, Nov 13, 2020 at 06:03:02AM +0530, Kaushal Shriyan wrote:
Hi there,
> As part of the security audit, I have set server_tokens off;
> in /etc/nginx/nginx.conf. Is there a way to hide Server: nginx,
> X-Powered-By and X-Generator?
It's generally pointless from a security perspective to hide headers;
and it is impolite to the authors to do so.
Stock nginx does not provide a configuration option to remove the Server:
header (but it does provide the source code and the freedom for you to
do what you want with it).
The other headers might be adjustable by whatever generates
them; but nginx does provide directives like fastcgi_hide_header
(http://nginx.org/r/fastcgi_hide_header) to adjust what is sent from a
fastcgi_pass response.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list