Opened 4 years ago

Last modified 3 years ago

#936 new enhancement

For security purposes it is necessary to remove or change the "server" header

Reported by: jon.strayer@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.4.x
Keywords: security configuration Cc:
uname -a:
nginx -V: nginx version: nginx/1.4.6 (Ubuntu)

Description

Advertising what server you are using makes a hacker's job easier. It would be helpful if there was a configuration setting beyond "server_tokens off" that would completely suppress the the "server" header.

Change History (4)

comment:2 Changed 3 years ago by neilstuartcraig@…

Hi.

Maybe you know this already by the "headers more" module can do this for you: https://github.com/openresty/headers-more-nginx-module

Cheers

comment:3 follow-up: Changed 3 years ago by BenBE@…

As the headers-more module isn't included with the default distribution I don't consider this a valid nor viable solution. Furthermore: Not everybody can (or is able to) build additional modules from source.

@vbart: Not displaying the software version and vendor is not Security by Obscurity but a measure to make fingerprinting for an attacker more expensive. If a software says what it is (which I'm forced to currently with nginx) an attacker just needs to verify this claim to be true. Hiding this information requires an attacker to gather this information from elsewhere (e.g. fingerprinting, guessing, ...) before an attack can be targete properly. Thus not showing this information minimizes usable information for reconnaissance of the system.

The setting "server_tokens off;" really MUST mean off.

comment:4 in reply to: ↑ 3 Changed 3 years ago by vbart

Replying to BenBE@…:

@vbart: Not displaying the software version and vendor is not Security by Obscurity but a measure to make fingerprinting for an attacker more expensive.

How much more expensive is it? It's quite easy to detect nginx by the order of headers.

If a software says what it is (which I'm forced to currently with nginx) an attacker just needs to verify this claim to be true. Hiding this information requires an attacker to gather this information from elsewhere (e.g. fingerprinting, guessing, ...) before an attack can be targete properly. Thus not showing this information minimizes usable information for reconnaissance of the system.

The setting "server_tokens off;" really MUST mean off.

I don't think so.

You're using nginx for free. And the software name in response headers is the smallest way to say thank you for the developers.

You also have alternative option. You can buy NGINX Plus, which has an ability to change the server header or to remove it completely.

Note: See TracTickets for help on using tickets.