1 min read

Disable your nginx server tokens

Etienne Marais

A raw nginx install will display server information which is not ideal if you want a more secure environment for your website to live in. Fortunately it's very easy to disable extra server info from being displayed.

curl -I http://localhost

# Output
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
...

That output shows the operating system as well as the version of nginx running on it. There might be exploitable vulnerabilities for that version.

Edit your base nginx config

sudo nano /etc/nginx/nginx.conf`

Look for HTTP configuration section and add the line server_tokens off as mentioned below.

... ## # Basic Settings ## server_tokens off; ...

Save and exit the config file. Reload nginx with the new config.

sudo service nginx reload

Running curl again on localhost should now hide away critical information.

curl -I http://localhost

# Output
HTTP/1.1 200 OK
Server: nginx
...