How to hide Nginx server headers on Ubuntu

Josh Sherman
3 min read
Servers Web Servers Debian / Ubuntu

Nginx is a fantastic web server choice, but it tends to be a bit too mouthy by default for my taste.

By mouthy, I mean that out of the box, Nginx gives up a bit too much information about itself, the operating system it’s running on, and if you’re running something like Express.js or PHP-FPM, information about that too.

A more specific list would be:

Call me paranoid, but I hate the idea of having the specific version numbers out there. I do my best to keep my boxes up to date, but on the off chance there’s a zero day exploit, I’d prefer to not let folks know if I’m running that specific version.

Fortunately, hiding nearly all of this information is pretty easy. I say “nearly all” because Nginx still mentions nginx on it’s built-in error pages unless you go through the trouble of compiling it from source, or perhaps finding a a pre-compiled version that includes those additional flags.

Keep in mind I titled this post around Ubuntu, but it will also work for Debian. Even if you’re not using a Debian-based distro, you should be able to get pretty far aside from the installation of an alternate nginx package. Your distro may have something similar though, so it’s worth checking.

Also worth noting, you’ll need super user access on the machine you’re trying to turn off server headers for and I’ve purposefully omitted sudo from the following commands.

All right, so the first thing we’ll want to do is swap out the nginx package for nginx-extras. This “extras” package includes the HttpHeadersMore module that will allow us to disable specific headers being returned in addition to disabling the Nginx version that’s displayed on the error pages.

apt install nginx-extras

If you already have Nginx installed (nginx, nginx-light, nginx-full, et cetera) this package will replace that. It’s a drop in replacement though, so things should continue to work as expected.

With the more feature-rich version of Nginx installed, you can now add some additional lines to our nginx.conf file.

Start by opening up /etc/nginx/nginx.conf and search for # server_tokens off;. That’s one of the configuration options we want to enable, and we’ll go ahead and add a couple of lines below it to remove some additional headers. When you’re done, it will look something like this:

# lines before where we made changes

server_tokens off;
more_clear_headers "Server";
more_clear_headers "X-Powered-By";

# lines after where we made changes

With those changes made, go ahead and save the file and exit.

Next, all we need to do is reload Nginx:

systemctl reload nginx

Assuming we did things correctly, the reload should go smoothly, otherwise there will be an error logged out.

The easiest way to test if things are working would be to open your site in a we browser and check your network tab, or hit it with httpie or HEAD from the command-line.

Join the Conversation

Good stuff? Want more?

Weekly emails about technology, development, and sometimes sauerkraut.

100% Fresh, Grade A Content, Never Spam.

About Josh

Husband. Father. Pug dad. Born again Linux user. Founder of Holiday API, and author of the best damn Lorem Ipsum Library for PHP.

Currently Reading

Slobberknocker: My Life in Wrestling
The 4-Hour Workweek, Expanded and Updated

Previous Reads

Buy Me a Coffee Become a Sponsor

Related Articles