How to hide Nginx server headers on Ubuntu by Josh Sherman


Nginx is a fantastic web server choice, but it tends to be a little too much in the mouth by default for me.

By mouth, I mean out of the box, Nginx gives up a little too much information about itself, the operating system it runs on, and if you run something like Express.js or PHP-FPM, information about that too.

A more specific list would be:

  • Reveal that you are not just running Nginx, but the specific version.
  • Distribution of your Linux, but not specific version / version information.
  • The servers and the basic version, usually through the X-Powered-By title.

Call me paranoid, but I hate the idea of ​​having the specific version numbers out there. I do my best to update my boxes, but in case there is no zero day utilization, I prefer not to let people know if I am running this specific version.

Fortunately, hiding almost all of this information is pretty easy. I say “almost everything” that Nginx still mentions nginx In its built-in error pages, unless you are going through the troubles of compiling from the original, or perhaps finding a fancy pre-made version that includes these additional flags.

Remember I read this post around Ubuntu, but it will work for Debian as well. Even if you do not use Debian-based distribution, you should be able to get quite far from installing an alternative nginx package. Maybe your distribution has something similar, so you might want to check.

It is also worth noting, you will need to access a super user on the computer where you are trying to turn off the server titles and I intentionally omitted sudo From the following commands.

Okay, so the first thing we want to do is replace the nginx Package for vista nginx-extras. This “Extras” package includes the HttpHeadersMore A module that will allow us to disable specific returned titles in addition to disabling the version of Nginx displayed on the error pages.

If you have already installed Nginx (nginx, nginx-light, nginx-full, Etc.) This package will replace it. However, this is a drop in replacement, so things should continue to work as expected.

With the richer version of Nginx installed, you can now add a few more lines to us nginx.conf file.

Start by opening /etc/nginx/nginx.conf And search # server_tokens
. This is one of the configuration options we want to enable, and we will continue to add a few rows below it to remove a few more titles. When you are done, it will look something like this:

# lines before where we made changes

server_tokens off;
more_clear_headers "Server";
more_clear_headers "X-Powered-By";

# lines after where we made changes

With the changes made, go ahead, save the file and exit.

Then, all we have to do is reload Nginx:

Assuming we did things right, the recharge should go smoothly, otherwise there will be an error in the port.

The easiest way to check if things are working is to open your site in the we browser and check your web tab, or click on it with httpie or HEAD From the command line.

good things? Want more?

Weekly emails on technology, development and sometimes sauerkraut.

100% fresh, first-class content, never spam.



Please enter your comment!
Please enter your name here