How to remove server header in Nginx

Nginx is one of the world most famous web server as per market share, security always a main concert when come to the web server and web application. By default, Nginx will always send the information in server HTTP header as well as on the error page.

502 bad gateway in Nginx: Top 5 reasons for it, & how to resolve

It’s always the best practise to hide up this information from the end user to avoid any possible targeted attacking.

Hide version information

The most basic security action that you should take is to hide up the Nginx version information. You may do this by adding a line of script in your nginx.conf file:

http {
   ...
   server_tokens off;
   ...
}

This script will only hides the specific version of your nginx from the Server header and error page, but it’s still showing the Nginx in the error page.

error-403-header

Hide the server header

There are several way to completely hide the server header from returning to the end user browser including 3rd party modules and remove the server header completely from the server it self.

I never try the 3rd party modules so that’s nothing much for me to share at here, but what I usually did is remove the header completely from the server header directly at the source code layer than only build the server.

To do that, you may need to download the Nginx source code from their website, than using the following code to remove the server header completely, than compile the Nginx.

VERSION="1.18.0" && \
sudo wget https://nginx.org/download/nginx-${VERSION}.tar.gz && \
sudo tar zxf nginx-${VERSION}.tar.gz && \
cd nginx-${VERSION}
sudo sed -i '[email protected]"nginx/"@"-/"@g' src/core/nginx.h
sudo sed -i '[email protected]>headers_out.server == [email protected]@g' src/http/ngx_http_header_filter_module.c
sudo sed -i '[email protected]>headers_out.server == [email protected]@g' src/http/v2/ngx_http_v2_filter_module.c
sudo sed -i '[email protected]<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c

After remove the header from the source code, than you can build your Nginx by using following code

sudo ./configure ...
sudo make && \
sudo make install 

You should get such return from the server after build the server.

Leave a Reply

google.com, pub-3772983857049267, DIRECT, f08c47fec0942fa0
%d bloggers like this: