Request Method Using Mixed case letters.

Maxim Dounin mdounin at
Wed Jan 13 13:27:44 UTC 2021


On Wed, Jan 13, 2021 at 01:04:26AM -0500, sanjay9999 wrote:

> Thanks for the update.
> I have already taken care to hide the "nginx".

The links I've provided explain why you shouldn't do this.  In 
particular, because this has nothing to do with security, and 
because it is an easy way to say "thanks" to the developers, 
including me.

> With CAPITAL letters, my testcase using "POSTSSS" for request_method, works
> fine.However, for mixed-case and small-case , nginx default rule applies and
> control does not reach my server block. hence I end up getting 400 error
> with "nginx" server name in html response.

Trying to hide "nginx" everywhere, including response headers and 
error pages, will at least require 3rd party modules to do so, as 
well as non-trivial and error prone error_page configuration.  I 
would not recommend doing this.

If you insist on not saying "thanks", the most simple available 
option is to use 'server_tokens "";' as recommended by the 
previous message (and available in the commercial version).

Maxim Dounin

More information about the nginx mailing list