Opened 20 months ago
Educate people about the importance of "Server" HTTP header
|Reported by:||Ivan Aksamentov||Owned by:|
|Keywords:||server header removing stripping hardening server_tokens headers-more-nginx-module||Cc:||@…, @…|
|uname -a:||not relevant|
|nginx -V:||not relevant|
Nginx Inc. should consider increasing the visibility of the problem of stripping the the "Server" header, in particular, bringing forward the consequences for global server market share analytics and fundraising, and advertise the importance of the header for the sustainability of Nginx as a free and open-source product.
I just learned about the issue from @mdounin and @vbart:
Here are some examples of what can be done:
- Add a short, unobtrusive message on a midly-colored background, explaining the importance of the header to the docs section for "server_tokens":
That's where I imagine people typically begin their header-stripping journey.
A good starting point for a message will be the comment from @vbart linked above. Explain that they don't really hide Nginx from hackers or prevent the "fingerptinting" (bring on other fingerprinting methods, like packet structure analysis or whatever). Most importantly, insist on the fact that they support Nginx by leaving the header public. Make sure their potential shameful act stops right there.
- Repeat the same message in FAQ sections for both open-source Nginx and Nginx Plus. Additionally and optionally, it would be also nice to have some more transparency on the financial aspect of the organization: in few words explain where you get cash.
- Add a source code comment to:
explaining the importance of not tempering with these strings.
<evil_mode>Also consider making ever-so-slight modifications to these variables such that would break the existing header-stripping patches and scripts. Some people will be upset, but, well, they are not doing things right, these are "bad" patches, and we want to let them know about it. Also, you have full right to change anything you want in the upstream code, including introducing breaking changes</evil_mode>
- There are numerous "Nginx hardening" guides on the web that advertise stripping or changing the header for additional "security". That's how you learn about "the patch". Make marketing people to contact some of the authors and ask them to add a remark about the importance of the header. Granted, you cannot cover all of the articles, but some authors will surely comply.
- Pull-request to
from the organizational Nginx Inc. account, at very least removing
more_set_headers 'Server: my-server';from the very first line in the examples on the front page, and explaining why. Contact Openresty. They are commercials, they are your downstream, they will understand.
- There are several stackoverflow/serverfault Q&A on "Nginx hardening". Go comment on those. Start with words "I'm one of the Nginx core developers...".
- Comment on Google Pagespeed resources, e.g. on its Github issues, where people ask to remove the headers. I was so convinced by all these "hardening" articles, I even tried to avoid Pagespeed, arguably one of the most useful modules, because it forcibly re-enables the header (and adds its own). For me, avoiding Pagespeed already felt kinda weird, but now it feels just plain stupid.
- Educate people. Write blog articles, regularly presenting current server market shares and mention (shame) header-strippers. Share on reddit, twitter, whatever. I am pretty sure there are entire companies with policies for stripping server header among other crazy stuff. Educate those folks.
- In the future, try to refrain from snarky comments, especially on bug reports, especially to newcomers. This turns off immediately. Provide pure distilled information instead. Have header-stripping reply as a quick copy-paste template. Most people just don't know a thing about server share analytics and it's consequences to fundraising. 5 minutes ago I didn't know it existed and didn't know you do fundraising. I was imagining Google pays you because I heard they use it. I thought you swim in money.
If your devs feel offended by the stripped header and it influences financial side, I think it's in the best interest of the organization (and consequently all of us, relying on Nginx), to make the problem more visible, so that people could make an informed decision. Nobody will be digging into your bug tracker, trying to find answers to problems they never knew existed.
I just donated a few bucks to wikipedia, and they bring a large ugly ad frame that covers half of the page. They asked for cash. I love wikipedia, I gave cash. Nginx needs a header? Great, I love Nginx, I'll bring the header back. Gosh, I will go ahead and add a proud "Powered by Nginx" on every page. Every free project needs money. No need to be shy here.
Thank you all guys, and please keep up the great job!