Hello!

On Tue, Jan 12, 2021 at 04:10:03AM -0500, sanjay9999 wrote:

> Hi,
> I am using mixed case letters in request methods. nginx finalized http
> request to 400 becuase as per the standard Request Method is case sensitive.
> However it shows html response with last line showing "nginx".
>
> Our security team says "you should not disclose web server details in the
> response for a request"
> We have implemented solution to hide server name and version.
>
> However, in this case control does not reach any of out server/location
> block . so that I can override the 400 errror.

Consider reading these tickets:

https://trac.nginx.org/nginx/ticket/936
https://trac.nginx.org/nginx/ticket/1644

In particular, consider showing this Wikipedia article to your
"security team":

https://en.wikipedia.org/wiki/Security_through_obscurity

If you really want to hide "nginx" regardless of what's written in
the above links, you can do so using the server_tokens directive
(http://nginx.org/r/server_tokens):

server_tokens "";

This only works in the commercial version though.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx