[PATCH] http option for server identification removal
Antoine Bonavita
antoine.bonavita at gmail.com
Thu Oct 19 13:49:03 UTC 2023
Teo,
You might want to have a look at: https://trac.nginx.org/nginx/ticket/936
If my understanding is correct, this feature is already offered as part of
Nginx Plus.
Hope this helps,
A.
On Thu, Oct 19, 2023 at 3:16 PM Teo Tyrov <teotyrov at gmail.com> wrote:
> Sorry, I forgot to add the mailing list to the recipients
>
> Best,
> Thodoris
>
> On Wed, Oct 18, 2023 at 11:17 PM Aleksandar Lazic <al-nginx at none.at>
> wrote:
>
>> Hi Teo.
>>
>> On 2023-10-18 (Mi.) 21:18, Teo Tyrov wrote:
>> > Hello Alex,
>> >
>> > This directive removes only the version, so it is still disclosed that
>> > the nginx server is used. I would be asked to remove the entire header
>> > in my previous company, which as far as I know, is not possible without
>> > external modules.
>>
>> got it.
>>
>> > On Wed, Oct 18, 2023 at 10:05 PM Aleksandar Lazic <al-nginx at none.at
>> > <mailto:al-nginx at none.at>> wrote:
>> >
>> > Hi Teo.
>> >
>> > On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
>> > > # HG changeset patch
>> > > # User Theodoros Tyrovouzis <teotyrov at gmail.com
>> > <mailto:teotyrov at gmail.com> <mailto:teotyrov at gmail.com
>> > <mailto:teotyrov at gmail.com>>>
>> > > # Date 1697653906 -10800
>> > > # Wed Oct 18 21:31:46 2023 +0300
>> > > # Node ID 112e223511c087fac000065c7eb99dd88e66b174
>> > > # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
>> > > Add "server_identification" http option that hides server
>> > information
>> > > disclosure in responses
>> > >
>> > > In its responses, nginx by default sends a "Server" header which
>> > > contains "nginx" and the nginx version. Most production systems
>> > would
>> > > want this information hidden, as it is technical information
>> > disclosure
>> > > (https://portswigger.net/web-security/information-disclosure
>> > <https://portswigger.net/web-security/information-disclosure>).
>> nginx
>> > > does provide the option "server_tokens off;" which hides the
>> > version,
>> > > but in order to get rid of the header, nginx needs to be compiled
>> > with
>> > > the headers_more module, for the option "more_clear_headers".
>> > This patch
>> > > provides an http option for hiding that information, which also
>> > hides
>> > > the server information from the default error responses.
>> > >
>> > > An alternative would be to add a new option to server_tokens,
>> e.g.
>> > > "incognito".
>> >
>> > What's wrong with this directive?
>> >
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens <
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens>
>> >
>> > [snipp]
>> >
>> > Regards
>> > Alex
>> >
>>
>> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231019/62c634d7/attachment.htm>
More information about the nginx-devel
mailing list