Home Configuration Turn off Nginx version display

Turn off Nginx version display

0

By default Nginx likes to show it’s version in the reply header of every request and on error pages. It is important to turn off the nginx version disclosure in order to prevent attackers to find potential exploits for your nginx server version. While this is generally a problem, I suspect that the secure “do not display nginx version” configuration will never be default because of companies like Netcraft which do data mining on webserver versions and such. (They seem to have good friends or to just lobby a lot against making a secure configuration the default).

nginxserverheader-versiondisclosure

The good news is that removing the Nginx version output is easy. It’s fortunately just a matter of seconds and one small configuration change. In /etc/nginx/nginx.conf (or wherever your main nginx configuration is located) add the following parameter within the http { } directive:

server_tokens off;

After you’ve added this little server_tokens snippet into the Nginx configuration file, you need to restart nginx by running service nginx restart. By using

curl -I "http://example.com"

you can check if the version is now stripped from the server header. Please note that you can not remove nginx from the server header completely. Here is what the result looks like:

nginxserverheader-fixed