Hide Nginx version3 min read

Devops Engineer
Sorry! The Author has not filled his profile.
follow me

By default, the Nginx version will be displayed when we query HTTP headers or error generated by the Nginx server. lets see how we can hide or remove the Nginx version.

First lets see how Nginx version is displaying using cli

Through curl command,we can see the version on error pages and in the “Server” response header field.

curl -I https://your-domain-name
curl -I https://www.techrunnr.com

Sample Output

HTTP/2 200 
server: nginx/1.17.10 (Ubuntu)
date: Fri, 02 Oct 2020 05:52:03 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding

Now lets hide Nginx Version using server_tokens directive

We need to set server_tokens to off to hide the Nginx server version.Now we will edit nginx.conf file.We will set server_tokens in http, server, or location context only

http {
        ## Basic Settings ##
        charset utf-8;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        log_not_found off;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        client_max_body_size 16M;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
       
 ## Hide Nginx version ##
        server_tokens   off;

        ## Security headers for Nginx ## 
        add_header Strict-Transport-Security "max-age=15768000" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header Referrer-Policy  strict-origin-when-cross-origin;
        
        ## SSL Settings ##
        ssl_protocols TLSv1.3;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        ## Virtual Host Configs ##
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

We have added this line in http section in nginx.conf file.

server_tokens off;

Now we will reload the nginx without restart,before that we will test the conf file.

##Test the conf file

sudo nginx -t

## Reload the nginx to reflect the changes

sudo nginx -s reload

 

Lets verify that Nginx version is hidden

curl -I https://your-domain-name
curl -I https://www.techrunnr.com

Sample Output

HTTP/2 200 
server: nginx
date: Fri, 02 Oct 2020 06:15:03 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding

In Firefox we can confirm nginx version has been hidden now.

Other Values related to server_tokens to hide the Nginx Version

The syntax is as follows:
server_tokens on | off | build | string;

  • on : Show version number.
  • off : Turn off displaying version number.
  • build : Make sure we emitt a build name along with nginx version. You must have the Nginx version 1.11.10.
  • string : Only works with commercial subscription, starting from version 1.9.13 the signature on error pages and the “Server” response header field value can be set explicitly using the string with variables. An empty string disables the emission of the “Server” field.

It is good and recommended not to display Nginx Version,this is one of the methods to prevent our application from hackers or any other thread.But always have a good code,install firewall and WAF ( web Application Firewall).These versions  will be helpful for attackers,so not prefer to display nginx version.

 

© 2020, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points

Related posts

Leave a Reply