Hiding the Nginx version number

Hiding the Nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Nginx version number

Nginx shows the version number by default in error pages and in the headers of HTTP requests. For Nginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.

# Don’t show the Nginx version number (in error pages / headers)
server_tokens off;
Now restart your Nginx daemon. Next step is requesting a non-existing page. It should not display the Nginx version information anymore (just “Nginx”).

Remove “nginx” in output

If you want to remove this as well, you may want to compile your nginx manually. Another option is to get creative and change the nginx binary with a hex editor. The downside is that these actions take a fair amount of time.

Remove headers

If you are using a reverse proxy, you can leverage this to remove some of the headers as well. For example with Varnish you can decide to delete some of the headers by unsetting them.

unset resp.http.X-Powered-By;
unset resp.http.Server;

Automation

Security auditing

If you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our auditing tool Lynis.

Configuration management

Additionally, apply this nginx setting in a configuration management solution like Puppet, Cfengine or Chef. Every web server deployed will automatically have a more secure configuration.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.