[PATCH] http option for server identification removal

Antoine Bonavita antoine.bonavita at gmail.com
Thu Oct 19 13:49:03 UTC 2023


Teo,

You might want to have a look at: https://trac.nginx.org/nginx/ticket/936

If my understanding is correct, this feature is already offered as part of
Nginx Plus.

Hope this helps,

A.

On Thu, Oct 19, 2023 at 3:16 PM Teo Tyrov <teotyrov at gmail.com> wrote:

> Sorry, I forgot to add the mailing list to the recipients
>
> Best,
> Thodoris
>
> On Wed, Oct 18, 2023 at 11:17 PM Aleksandar Lazic <al-nginx at none.at>
> wrote:
>
>> Hi Teo.
>>
>> On 2023-10-18 (Mi.) 21:18, Teo Tyrov wrote:
>> > Hello Alex,
>> >
>> > This directive removes only the version, so it is still disclosed that
>> > the nginx server is used. I would be asked to remove the entire header
>> > in my previous company, which as far as I know, is not possible without
>> > external modules.
>>
>> got it.
>>
>> > On Wed, Oct 18, 2023 at 10:05 PM Aleksandar Lazic <al-nginx at none.at
>> > <mailto:al-nginx at none.at>> wrote:
>> >
>> >     Hi Teo.
>> >
>> >     On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
>> >      > # HG changeset patch
>> >      > # User Theodoros Tyrovouzis <teotyrov at gmail.com
>> >     <mailto:teotyrov at gmail.com> <mailto:teotyrov at gmail.com
>> >     <mailto:teotyrov at gmail.com>>>
>> >      > # Date 1697653906 -10800
>> >      > #      Wed Oct 18 21:31:46 2023 +0300
>> >      > # Node ID 112e223511c087fac000065c7eb99dd88e66b174
>> >      > # Parent  cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
>> >      > Add "server_identification" http option that hides server
>> >     information
>> >      > disclosure in responses
>> >      >
>> >      > In its responses, nginx by default sends a "Server" header which
>> >      > contains "nginx" and the nginx version. Most production systems
>> >     would
>> >      > want this information hidden, as it is technical information
>> >     disclosure
>> >      > (https://portswigger.net/web-security/information-disclosure
>> >     <https://portswigger.net/web-security/information-disclosure>).
>> nginx
>> >      > does provide the option "server_tokens off;" which hides the
>> >     version,
>> >      > but in order to get rid of the header, nginx needs to be compiled
>> >     with
>> >      > the headers_more module, for the option "more_clear_headers".
>> >     This patch
>> >      > provides an http option for hiding that information, which also
>> >     hides
>> >      > the server information from the default error responses.
>> >      >
>> >      > An alternative would be to add a new option to server_tokens,
>> e.g.
>> >      > "incognito".
>> >
>> >     What's wrong with this directive?
>> >
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens <
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens>
>> >
>> >     [snipp]
>> >
>> >     Regards
>> >     Alex
>> >
>>
>> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231019/62c634d7/attachment.htm>


More information about the nginx-devel mailing list