Hiding the Nginx version number
Hiding the Nginx version number
If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.
Nginx version number
Nginx shows the version number by default in error pages and in the headers of HTTP requests. For Nginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.
# Don’t show the Nginx version number (in error pages / headers)server_tokens off;
Remove “nginx” in output
Remove headers
unset resp.http.X-Powered-By;
unset resp.http.Server;
Automation
Security auditing
If you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our auditing tool Lynis.
Configuration management
Additionally, apply this nginx setting in a configuration management solution like Puppet, Cfengine or Chef. Every web server deployed will automatically have a more secure configuration.