Hiding the Nginx version number

Hiding the Nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Nginx version number

Nginx shows the version number by default in error pages and in the headers of HTTP requests. For Nginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.

# Don’t show the Nginx version number (in error pages / headers)
server_tokens off;
Now restart your Nginx daemon. Next step is requesting a non-existing page. It should not display the Nginx version information anymore (just “Nginx”).

Remove “nginx” in output

If you want to remove this as well, you may want to compile your nginx manually. Another option is to get creative and change the nginx binary with a hex editor. The downside is that these actions take a fair amount of time.

Remove headers

If you are using a reverse proxy, you can leverage this to remove some of the headers as well. For example with Varnish you can decide to delete some of the headers by unsetting them.

unset resp.http.X-Powered-By;
unset resp.http.Server;


Security auditing

If you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our auditing tool Lynis.

Configuration management

Additionally, apply this nginx setting in a configuration management solution like Puppet, Cfengine or Chef. Every web server deployed will automatically have a more secure configuration.

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *