Josh Sherman
Nginx is a fantastic web server choice, but it tends to be a bit too mouthy by default for my taste.
By mouthy, I mean that out of the box, Nginx gives up a bit too much information about itself, the operating system it’s running on, and if you’re running something like Express.js or PHP-FPM, information about that too.
A more specific list would be:
- Exposing that you’re not only running Nginx, but the specific version.
- Your Linux distro, but not the specific version / release information.
- Underlying servers and version, typically by way of the
X-Powered-Byheader.
Call me paranoid, but I hate the idea of having the specific version numbers out there. I do my best to keep my boxes up to date, but on the off chance there’s a zero day exploit, I’d prefer to not let folks know if I’m running that specific version.
Fortunately, hiding nearly all of this information is pretty easy. I say “nearly
all” because Nginx still mentions nginx on it’s built-in error pages unless
you go through the trouble of compiling it from source, or perhaps finding a a
pre-compiled version that includes those additional flags.
Keep in mind I titled this post around Ubuntu, but it will also work for Debian.
Even if you’re not using a Debian-based distro, you should be able to get pretty
far aside from the installation of an alternate nginx package. Your distro may
have something similar though, so it’s worth checking.
Also worth noting, you’ll need super user access on the machine you’re trying to
turn off server headers for and I’ve purposefully omitted sudo from the
following commands.
All right, so the first thing we’ll want to do is swap out the nginx package
for nginx-extras. This “extras” package includes the HttpHeadersMore module
that will allow us to disable specific headers being returned in addition to
disabling the Nginx version that’s displayed on the error pages.
apt install nginx-extras
If you already have Nginx installed (nginx, nginx-light, nginx-full, et
cetera) this package will replace that. It’s a drop in replacement though, so
things should continue to work as expected.
With the more feature-rich version of Nginx installed, you can now add some
additional lines to our nginx.conf file.
Start by opening up /etc/nginx/nginx.conf and search for # server_tokens
off;. That’s one of the configuration options we want to enable, and we’ll go
ahead and add a couple of lines below it to remove some additional headers. When
you’re done, it will look something like this:
# lines before where we made changes
server_tokens off;
more_clear_headers "Server";
more_clear_headers "X-Powered-By";
# lines after where we made changes
With those changes made, go ahead and save the file and exit.
Next, all we need to do is reload Nginx:
systemctl reload nginx
Assuming we did things correctly, the reload should go smoothly, otherwise there will be an error logged out.
The easiest way to test if things are working would be to open your site in a we
browser and check your network tab, or hit it with httpie or HEAD from the
command-line.
