Request Method Using Mixed case letters.
Maxim Dounin
mdounin at mdounin.ru
Tue Jan 12 13:37:22 UTC 2021
Hello!
On Tue, Jan 12, 2021 at 04:10:03AM -0500, sanjay9999 wrote:
> Hi,
> I am using mixed case letters in request methods. nginx finalized http
> request to 400 becuase as per the standard Request Method is case sensitive.
> However it shows html response with last line showing "nginx".
>
> Our security team says "you should not disclose web server details in the
> response for a request"
> We have implemented solution to hide server name and version.
>
> However, in this case control does not reach any of out server/location
> block . so that I can override the 400 errror.
Consider reading these tickets:
https://trac.nginx.org/nginx/ticket/936
https://trac.nginx.org/nginx/ticket/1644
In particular, consider showing this Wikipedia article to your
"security team":
https://en.wikipedia.org/wiki/Security_through_obscurity
If you really want to hide "nginx" regardless of what's written in
the above links, you can do so using the server_tokens directive
(http://nginx.org/r/server_tokens):
server_tokens "";
This only works in the commercial version though.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list