HTTP header manipulation
Maxim Dounin
mdounin at mdounin.ru
Sat Feb 21 03:13:09 MSK 2009
Hello!
On Fri, Feb 20, 2009 at 10:17:41PM +0000, Nuno Magalhães wrote:
> I thought i'd use a different thread instead of stealing Paul's...
>
> HTTP-header manipulation is another type of exploit which does relate
> to the webserver. On that, how can i prevent nginx from sending the
> server name? I.e., given this:
>
> [...]
> GET / HTTP/1.1
> Host: localhost
> Accept: text/html
>
> HTTP/1.1 200 OK
> Server: nginx
> Date: Fri, 20 Feb 2009 22:08:31 GMT
> Content-Type: text/html; charset=utf8
> Transfer-Encoding: chunked
> Connection: keep-alive
>
> I'd like to remove or spoof that "Server .." line. I've done these
> changes on my files:
No way. Switching off server_tokens is the only thing you may do
without nginx source code modification.
Personally I think that even switching off server_tokens is wrong
way to go. It doesn't give you extra security but instead false
sense of it - at the cost of much more complicated debugging and
defeating your own security analysis. It's much better to keep
your software up-to-date instead.
BTW, charset in the example above is wrong. There is no "utf8"
charset, it's called "utf-8". Full list of registered character
sets can be found here:
http://www.iana.org/assignments/character-sets.
> /etc/nginx/nginx.conf
> [...]
> http {
> [...]
> server_tokens off;
> [...]
>
> /etc/nginx/fastcgi_params
> [...]
> fastcgi_param SERVER_SOFTWARE apache; #or whatever string
> fastcgi_param SERVER_NAME again... some string here;
You don't trust even your own fastcgi apps? Funny. :)
Maxim Dounin
More information about the nginx
mailing list