Nginx Tip - Remove Version Number

I wanted to give another quick tip in the process of hardening the security of Nginx.

There are a bunch of things one can do to manage and limit connections, and they’re good, but something that is often overlooked is removing the version number of the web server. This isn’t a security-through-obscurity thing, but rather taking whatever easy steps one can take to make things even a little bit tougher for an attacker.

For example, if there is a vulnerability in a specific version of Nginx, it makes sense not to broadcast the version number running on one’s server to the world, allowing anyone paying attention to easily determine whether your server is vulnerable.

Of course, one can go to great lengths and change the server software name altogether by modifying Nginx’s source code and recompiling, but I’m going to limit this suggestion to something that is easy and within the reach of every web admin out there.

To configure Nginx to stop listing its version number in error pages and HTTP headers, add the following line to the server block in your configuration file:

server_tokens: off;

That’s all that needs to be done. Now, Nginx will only list the fact that it is an Nginx server, but exclude the version in HTTP headers and error pages.