How to remove server header in Nginx
Nginx is one of the world most famous web server as per market share, security always a main concert when come to the web server and web application. By default, Nginx will always send the information in server HTTP header as well as on the error page.
It’s always the best practise to hide up this information from the end user to avoid any possible targeted attacking.
Hide version information
The most basic security action that you should take is to hide up the Nginx version information. You may do this by adding a line of script in your nginx.conf file:
http { ... server_tokens off; ... }
This script will only hides the specific version of your nginx from the Server header and error page, but it’s still showing the Nginx in the error page.
Hide the server header
There are several way to completely hide the server header from returning to the end user browser including 3rd party modules and remove the server header completely from the server it self.
I never try the 3rd party modules so that’s nothing much for me to share at here, but what I usually did is remove the header completely from the server header directly at the source code layer than only build the server.
To do that, you may need to download the Nginx source code from their website, than using the following code to remove the server header completely, than compile the Nginx.
$ VERSION="1.18.0"$ sudo wget https://nginx.org/download/nginx-${VERSION}.tar.gz$ sudo tar zxf nginx-${VERSION}.tar.gz$ cd nginx-${VERSION}$ sudo sed -i '[email protected]"nginx/"@"-/"@g' src/core/nginx.h $ sudo sed -i '[email protected]>headers_out.server == [email protected]@g' src/http/ngx_http_header_filter_module.c $ sudo sed -i '[email protected]>headers_out.server == [email protected]@g' src/http/v2/ngx_http_v2_filter_module.c $ sudo sed -i '[email protected]<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c
After remove the header from the source code, than you can build your Nginx by using following code
$ sudo ./configure
$ sudo make
$ sudo make installYou should get such return from the server after build the server.
Originally published at https://tech.david-cheong.com on June 6, 2020.