[PATCH] http option for server identification removal

Aleksandar Lazic al-nginx at none.at
Wed Oct 18 19:05:41 UTC 2023

Hi Teo.

On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
> # HG changeset patch
> # User Theodoros Tyrovouzis <teotyrov at gmail.com <mailto:teotyrov at gmail.com>>
> # Date 1697653906 -10800
> #      Wed Oct 18 21:31:46 2023 +0300
> # Node ID 112e223511c087fac000065c7eb99dd88e66b174
> # Parent  cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
> Add "server_identification" http option that hides server information 
> disclosure in responses
> In its responses, nginx by default sends a "Server" header which 
> contains "nginx" and the nginx version. Most production systems would 
> want this information hidden, as it is technical information disclosure 
> (https://portswigger.net/web-security/information-disclosure). nginx 
> does provide the option "server_tokens off;" which hides the version, 
> but in order to get rid of the header, nginx needs to be compiled with 
> the headers_more module, for the option "more_clear_headers". This patch 
> provides an http option for hiding that information, which also hides 
> the server information from the default error responses.
> An alternative would be to add a new option to server_tokens, e.g. 
> "incognito".

What's wrong with this directive?



More information about the nginx-devel mailing list