How to Hide Nginx's Version
Why we want to hide Nginx's version (or signature)?
Because if the server version is accessible, a potential attacker could exploit any vulnerabilities impacting that version. Limiting the information exposure will help you narrow the possibilities for malicious hackers to exploit – Someone
So, how can people see our web server's version?
- HTTP Headers
- Error Pages
- Other tools (such as Wappalyzer)
HTTP Headers
When you open Developer Console in any browsers, open Network's tab, and choose any request in there. You'll see something like below in Response's Header.
You see that Server: nginx/1.26.1.
Web Server's Error Pages
When you access your site, and somehow accessing unavailable files, misconfiguration, or accidentally got 50x errors, you'll see something like below in your site.
You see that? nginx/1.26.1 – that's our web server's version.
How to hide the Nginx's version?
I assume that you already understand about Nginx's configuration structure. In short, there's two important contexts: http and server contexts.
By default, the configuration is located in /etc/nginx/nginx.conf. You'll see in that file, a http {...} context, and within http's context, you'll see the include /etc/nginx/conf.d/*.conf;
After knowing the why, you want to understand the how, but before that, you should understand the where. Where do you want to place the config?
In http or server context?
If you place it in http, the config will be applied to all server(s) configuration, and if you place it in server's context, it'll be applied only to that server. So, I give you the freedom to where you should place it.
Finally, here's how you can easily hide the Nginx's version.
http {
# place it in `http` context
server_tokens off;
server {
# or place it in `server` context
server_tokens off;
}
}Easy, right? That's it!
The Result: HTTP Headers
Here's how it shows in Response's Header.
The Result: Web Server's Error Page
Here's how it shows in Nginx's 404 Error Page.
