[PATCH] http option for server identification removal

Teo Tyrov teotyrov at gmail.com
Thu Oct 19 13:16:14 UTC 2023 

Sorry, I forgot to add the mailing list to the recipients

Best,
Thodoris

On Wed, Oct 18, 2023 at 11:17 PM Aleksandar Lazic <al-nginx at none.at> wrote:

> Hi Teo.
>
> On 2023-10-18 (Mi.) 21:18, Teo Tyrov wrote:
> > Hello Alex,
> >
> > This directive removes only the version, so it is still disclosed that
> > the nginx server is used. I would be asked to remove the entire header
> > in my previous company, which as far as I know, is not possible without
> > external modules.
>
> got it.
>
> > On Wed, Oct 18, 2023 at 10:05 PM Aleksandar Lazic <al-nginx at none.at
> > <mailto:al-nginx at none.at>> wrote:
> >
> >     Hi Teo.
> >
> >     On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
> >      > # HG changeset patch
> >      > # User Theodoros Tyrovouzis <teotyrov at gmail.com
> >     <mailto:teotyrov at gmail.com> <mailto:teotyrov at gmail.com
> >     <mailto:teotyrov at gmail.com>>>
> >      > # Date 1697653906 -10800
> >      > #      Wed Oct 18 21:31:46 2023 +0300
> >      > # Node ID 112e223511c087fac000065c7eb99dd88e66b174
> >      > # Parent  cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
> >      > Add "server_identification" http option that hides server
> >     information
> >      > disclosure in responses
> >      >
> >      > In its responses, nginx by default sends a "Server" header which
> >      > contains "nginx" and the nginx version. Most production systems
> >     would
> >      > want this information hidden, as it is technical information
> >     disclosure
> >      > (https://portswigger.net/web-security/information-disclosure
> >     <https://portswigger.net/web-security/information-disclosure>).
> nginx
> >      > does provide the option "server_tokens off;" which hides the
> >     version,
> >      > but in order to get rid of the header, nginx needs to be compiled
> >     with
> >      > the headers_more module, for the option "more_clear_headers".
> >     This patch
> >      > provides an http option for hiding that information, which also
> >     hides
> >      > the server information from the default error responses.
> >      >
> >      > An alternative would be to add a new option to server_tokens, e.g.
> >      > "incognito".
> >
> >     What's wrong with this directive?
> >
> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens <
> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens>
> >
> >     [snipp]
> >
> >     Regards
> >     Alex
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231019/b82a648c/attachment.htm>

More information about the nginx-devel mailing list