Request Method Using Mixed case letters.
mdounin at mdounin.ru
Wed Jan 13 13:27:44 UTC 2021
On Wed, Jan 13, 2021 at 01:04:26AM -0500, sanjay9999 wrote:
> Thanks for the update.
> I have already taken care to hide the "nginx".
The links I've provided explain why you shouldn't do this. In
particular, because this has nothing to do with security, and
because it is an easy way to say "thanks" to the developers,
> With CAPITAL letters, my testcase using "POSTSSS" for request_method, works
> fine.However, for mixed-case and small-case , nginx default rule applies and
> control does not reach my server block. hence I end up getting 400 error
> with "nginx" server name in html response.
Trying to hide "nginx" everywhere, including response headers and
error pages, will at least require 3rd party modules to do so, as
well as non-trivial and error prone error_page configuration. I
would not recommend doing this.
If you insist on not saying "thanks", the most simple available
option is to use 'server_tokens "";' as recommended by the
previous message (and available in the commercial version).
More information about the nginx