[PATCH] HTTP: stop emitting server version by default

Sergey A. Osokin osa at freebsd.org.ru
Thu Feb 29 14:03:50 UTC 2024


Hi Piotr,

thank you for the patch.

On Wed, Feb 28, 2024 at 01:20:35AM +0000, Piotr Sikora via nginx-devel wrote:

[...]

> HTTP: stop emitting server version by default.
> This information is only useful to attackers.
> The previous behavior can be restored using "server_tokens on".

[...]

I don't think this is a good idea to change the default behaviour
for the directive we have for a long-long time.  It's always possible
to set `server_tokens off;' in the configuration file.

Also, this change is required a corresponding change in the
documentation on the nginx.org website.

Thank you.

-- 
Sergey A. Osokin


More information about the nginx-devel mailing list