Hiding the nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Nginx version number

Nginx shows the version number by default in error pages and in the headers of HTTP requests. For rnNginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.

# Don't show the Nginx version number (in error pages / headers)
server_tokens off;

After making the changes, test your configuration.

nginx -t

Now restart your Nginx daemon. Next step is requesting a non-existing page. It should not display the Nginx version information anymore (just “Nginx”).

service nginx restart

Remove “nginx” in output

With the version gone, it still will show ’nginx’ in the output. If you want to remove this as well, additional steps might be needed.

Hex editor or manual compilation

you may want to compile your nginx manually. Another option is to get creative and change the nginx binary with a hex editor. The downside is that these actions take a fair amount of time.

Remove headers via reverse proxy

If you are using a reverse proxy, you can leverage this to remove some of the headers as well. For example with Varnish you can decide to delete some of the headers by unsetting them.

unset resp.http.X-Powered-By;
unset resp.http.Server;

Use the more_clear_headers

There is another option, which is a function called more_clear_headers and part of the mod-headers package.

Operating SystemPackage
Arch Linuxnginx-mod-headers-more
Red Hatnginx-module-headers-more
Ubuntulibnginx-mod-http-headers-more-filter

After installation of the module, use the function and tell it to clear the Server header.

more_clear_headers Server;

Note: this line can be added in the http, server, location context. If you want to apply it for the whole server, add more_clear_headers in your /etc/nginx/nginx.conf file.

Let’s test before the change is made and nginx is reloaded.

# curl -I https://linux-audit.com
HTTP/2 200 
server: nginx
date: Tue, 09 Apr 2024 07:34:53 GMT

After the change, the Server header is gone.

# curl -I https://linux-audit.com
HTTP/2 200 
date: Tue, 09 Apr 2024 07:37:20 GMT

Automation

Security auditing

If you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our open source (and free) auditing tool Lynis.

Configuration management

Additionally, apply this nginx setting in a configuration management solution like Ansible, Cfengine, Chef, Puppet, or Salt. Every web server deployed will automatically have a more secure configuration.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is a cheat sheet available:

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon