Opened 9 years ago
Last modified 2 years ago
#936 new enhancement
For security purposes it is necessary to remove or change the "server" header
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.4.x |
| Keywords: | security configuration | Cc: | |
| uname -a: | |||
| nginx -V: | nginx version: nginx/1.4.6 (Ubuntu) | ||
Description
Advertising what server you are using makes a hacker's job easier. It would be helpful if there was a configuration setting beyond "server_tokens off" that would completely suppress the the "server" header.
Change History (7)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Hi.
Maybe you know this already by the "headers more" module can do this for you: https://github.com/openresty/headers-more-nginx-module
Cheers
follow-up: 4 comment:3 by , 8 years ago
As the headers-more module isn't included with the default distribution I don't consider this a valid nor viable solution. Furthermore: Not everybody can (or is able to) build additional modules from source.
@vbart: Not displaying the software version and vendor is not Security by Obscurity but a measure to make fingerprinting for an attacker more expensive. If a software says what it is (which I'm forced to currently with nginx) an attacker just needs to verify this claim to be true. Hiding this information requires an attacker to gather this information from elsewhere (e.g. fingerprinting, guessing, ...) before an attack can be targete properly. Thus not showing this information minimizes usable information for reconnaissance of the system.
The setting "server_tokens off;" really MUST mean off.
comment:4 by , 8 years ago
Replying to BenBE@…:
@vbart: Not displaying the software version and vendor is not Security by Obscurity but a measure to make fingerprinting for an attacker more expensive.
How much more expensive is it? It's quite easy to detect nginx by the order of headers.
If a software says what it is (which I'm forced to currently with nginx) an attacker just needs to verify this claim to be true. Hiding this information requires an attacker to gather this information from elsewhere (e.g. fingerprinting, guessing, ...) before an attack can be targete properly. Thus not showing this information minimizes usable information for reconnaissance of the system.
The setting "server_tokens off;" really MUST mean off.
I don't think so.
You're using nginx for free. And the software name in response headers is the smallest way to say thank you for the developers.
You also have alternative option. You can buy NGINX Plus, which has an ability to change the server header or to remove it completely.
I just leave this link here: https://en.wikipedia.org/wiki/Security_through_obscurity