"server_tokens off" still showing server software

Igor Clark igor at pokelondon.com
Mon Mar 10 21:20:15 MSK 2008 

Hi there

We're running a site for a large company using 0.5.35. Their IT  
security team insists that the "Server: nginx" HTTP header must be  
removed. I've set "server_tokens off" in both http and server  
sections, and the version number is no longer shown, but I still get  
"Server: nginx".

I need to remove this completely, as they may actually insist we  
change server software if this is not done.

Is there a way to do this through config?

In the meantime, as I don't have time to learn the ngx code well  
enough to add a config directive of my own, I've *removed* the  
following lines in src/http/ngx_http_header_filter_module.c, rebuilt,  
and the header is, obviously, no longer sent.

But will this cause other problems?

  48: static char ngx_http_server_string[] = "Server: nginx" CRLF;
  49: static char ngx_http_server_full_string[] = "Server: " NGINX_VER  
CRLF;

127:    { ngx_string("Server"), offsetof(ngx_http_headers_out_t,  
server) },

243:    if (r->headers_out.server == NULL) {
244:        len += clcf->server_tokens ?  
sizeof(ngx_http_server_full_string) - 1:
245:                                      
sizeof(ngx_http_server_string) - 1;
246:    }

284:                   + r->server_name.len

295:                   + r->server_name.len

369:    if (r->headers_out.server == NULL) {
370:        if (clcf->server_tokens) {
371:            p = (u_char *) ngx_http_server_full_string;
372:            len = sizeof(ngx_http_server_full_string) - 1;
373:
374:        } else {
375:            p = (u_char *) ngx_http_server_string;
376:            len = sizeof(ngx_http_server_string) - 1;
377:        }
378:
379:        b->last = ngx_cpymem(b->last, p, len);
380:    }

447:        b->last = ngx_copy(b->last, r->server_name.data, r- 
 >server_name.len);

I hope this doesn't go against the whole nginx philosophy - I'm  
normally quite proud about nginx server tokens!
But if it's either "do this or use Apache", then I'd rather do this ...

Many thanks,
Igor

--
Igor Clark // POKE // 10 Redchurch Street // E2 7DD // +44 (0)20 7749  
5355 // www.pokelondon.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20080310/96e8d55c/attachment.html>

More information about the nginx mailing list