Hide HTTP headers in nginx

Francis Daly francis at daoine.org
Fri Nov 13 11:17:22 UTC 2020

On Fri, Nov 13, 2020 at 06:03:02AM +0530, Kaushal Shriyan wrote:

Hi there,

> As part of the security audit, I have set server_tokens off;
> in /etc/nginx/nginx.conf. Is there a way to hide Server: nginx,
> X-Powered-By and X-Generator?

It's generally pointless from a security perspective to hide headers;
and it is impolite to the authors to do so.

Stock nginx does not provide a configuration option to remove the Server:
header (but it does provide the source code and the freedom for you to
do what you want with it).

The other headers might be adjustable by whatever generates
them; but nginx does provide directives like fastcgi_hide_header
(http://nginx.org/r/fastcgi_hide_header) to adjust what is sent from a
fastcgi_pass response.

Good luck with it,

Francis Daly        francis at daoine.org

More information about the nginx mailing list