Request Method Using Mixed case letters.

Maxim Dounin mdounin at mdounin.ru
Tue Jan 12 13:37:22 UTC 2021


Hello!

On Tue, Jan 12, 2021 at 04:10:03AM -0500, sanjay9999 wrote:

> Hi, 
> I am using mixed case letters in request methods. nginx finalized http
> request to 400 becuase as per the standard Request Method is case sensitive.
> However it shows html response with last line showing "nginx". 
> 
> Our security team says "you should not disclose web server details in the
> response for a request"
> We have implemented solution to hide server name and version.
> 
> However, in this case control does not reach any of out server/location
> block . so that I can override the 400 errror.

Consider reading these tickets:

https://trac.nginx.org/nginx/ticket/936
https://trac.nginx.org/nginx/ticket/1644

In particular, consider showing this Wikipedia article to your 
"security team":

https://en.wikipedia.org/wiki/Security_through_obscurity

If you really want to hide "nginx" regardless of what's written in 
the above links, you can do so using the server_tokens directive 
(http://nginx.org/r/server_tokens):

    server_tokens "";

This only works in the commercial version though.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list