How to hide Server: banner
May 01, 2009 09:28PM
I;m interested in learning how to hide the "Server: nginx/[version]" banner from the Server header variable...I"d prefer not to advertise to hackers exactly which HTTP server i'm using....
Re: How to hide Server: banner
May 01, 2009 10:15PM
I don't think it will do you much good. A casual hacker isn't going to get through your security and a serious hacker will get the information easily enough through HTTP fingerprinting. See http://www.net-square.com/httprint/httprint_paper.html.

That said, you can turn off the version with the directive "server_tokens off".

From http://wiki.nginx.org/NginxHttpCoreModule#server_tokens :

[quote]
server_tokens

syntax: server_tokens on|off

default: server_tokens on

context: http, server, location

Whether to send the Nginx version number in error pages and Server header. [/quote]


If you want to remove the name of the server completely you need to alter the source code prior to compiling.

Edit /path/to/nginx-0.*/src/http/ngx_http_header_filter_module.c lines 48 and 49:

[code]
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
[/code]

Put in anything you like.

If you want to edit NGINX_VER, it is defined, along with some other relevant constants, in /path/to/nginx-0.*/src/core/nginx.h, lines 11-13.

--
Jim Ohlstein
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 141
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready