HTTP header manipulation
Nuno Magalhães
nunomagalhaes at eu.ipp.pt
Sat Feb 21 01:17:41 MSK 2009
I thought i'd use a different thread instead of stealing Paul's...
HTTP-header manipulation is another type of exploit which does relate
to the webserver. On that, how can i prevent nginx from sending the
server name? I.e., given this:
[...]
GET / HTTP/1.1
Host: localhost
Accept: text/html
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
I'd like to remove or spoof that "Server .." line. I've done these
changes on my files:
/etc/nginx/nginx.conf
[...]
http {
[...]
server_tokens off;
[...]
/etc/nginx/fastcgi_params
[...]
fastcgi_param SERVER_SOFTWARE apache; #or whatever string
fastcgi_param SERVER_NAME again... some string here;
I'm also fiddling with error pages so they present my error pages,
which also includes "msie_padding on;" in .conf but this is its
default setting anyway.
However, the server name does still go out in the respose header. Am i
missing something in the config? Do i have to reboot/reHUP the server
again? Have to use PHP or something to filter the headers?
Nuno Magalhães
LU#484677
More information about the nginx
mailing list