Hiding the nginx version number
This article has last been updated at .
If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.
Nginx version number
Nginx shows the version number by default in error pages and in the headers of HTTP requests. For Nginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.
# Don't show the Nginx version number (in error pages / headers)
server_tokens off;
After making the changes, test your configuration.
nginx -t
Now restart your Nginx daemon. Next step is requesting a non-existing page. It should not display the Nginx version information anymore (just “Nginx”).
service nginx restart
Remove “nginx” in output
With the version gone, it still will show ’nginx’ in the output. If you want to remove this as well, additional steps might be needed.
Hex editor or manual compilation
you may want to compile your nginx manually. Another option is to get creative and change the nginx binary with a hex editor. The downside is that these actions take a fair amount of time.
Remove headers via reverse proxy
If you are using a reverse proxy, you can leverage this to remove some of the headers as well. For example with Varnish you can decide to delete some of the headers by unsetting them.
unset resp.http.X-Powered-By;
unset resp.http.Server;
Use the more_clear_headers
There is another option, which is a function called more_clear_headers and part of the mod-headers package.
Operating System | Package |
---|---|
Arch Linux | nginx-mod-headers-more |
Red Hat | nginx-module-headers-more |
Ubuntu | libnginx-mod-http-headers-more-filter |
After installation of the module, use the function and tell it to clear the Server header.
more_clear_headers Server;
Note: this line can be added in the http, server, location context. If you want to apply it for the whole server, add more_clear_headers in your /etc/nginx/nginx.conf file.
Let’s test before the change is made and nginx is reloaded.
# curl -I https://linux-audit.com
HTTP/2 200
server: nginx
date: Tue, 09 Apr 2024 07:34:53 GMT
After the change, the Server header is gone.
# curl -I https://linux-audit.com
HTTP/2 200
date: Tue, 09 Apr 2024 07:37:20 GMT
Automation
Security auditing
If you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our open source (and free) auditing tool Lynis.
Configuration management
Additionally, apply this nginx setting in a configuration management solution like Ansible, Cfengine, Chef, Puppet, or Salt. Every web server deployed will automatically have a more secure configuration.