[PATCH] http option for server identification removal
Aleksandar Lazic
al-nginx at none.at
Wed Oct 18 19:05:41 UTC 2023
Hi Teo.
On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
> # HG changeset patch
> # User Theodoros Tyrovouzis <teotyrov at gmail.com <mailto:teotyrov at gmail.com>>
> # Date 1697653906 -10800
> # Wed Oct 18 21:31:46 2023 +0300
> # Node ID 112e223511c087fac000065c7eb99dd88e66b174
> # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
> Add "server_identification" http option that hides server information
> disclosure in responses
>
> In its responses, nginx by default sends a "Server" header which
> contains "nginx" and the nginx version. Most production systems would
> want this information hidden, as it is technical information disclosure
> (https://portswigger.net/web-security/information-disclosure). nginx
> does provide the option "server_tokens off;" which hides the version,
> but in order to get rid of the header, nginx needs to be compiled with
> the headers_more module, for the option "more_clear_headers". This patch
> provides an http option for hiding that information, which also hides
> the server information from the default error responses.
>
> An alternative would be to add a new option to server_tokens, e.g.
> "incognito".
What's wrong with this directive?
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
[snipp]
Regards
Alex
More information about the nginx-devel
mailing list