How to hide Nginx version on Linux and Unix

By default, the Nginx version displayed when you query HTTP headers or error generated by the Nginx server. This quick guide explains how to hide or remove the Nginx version on Linux or Unix server without restarting the system.

Tutorial requirements
Operating system/appNginx running on Linux/Unix
Root privileges required Yes
Difficulty Easy (rss)
Estimated completion time 2m
Table of contents

ADVERTISEMENTS

Displaying the current Nginx version using the CLI

The Nginx will show version on error pages and in the “Server” response header field. We can verify that using the following command:
$ curl -I https://your-domain
$ curl -I https://www.cyberciti.biz

Sample outputs:

HTTP/2 200 
server: nginx/1.17.10 (Ubuntu)
date: Tue, 23 Jun 2020 09:36:49 GMT
content-type: text/html; charset=UTF-8
strict-transport-security: max-age=15768000
x-whome: l-ncbz01-mg-wg

Here is output from my HTTP/502 error page displaying information:
How to Hide Nginx Server Version in Linux

Hiding Nginx version with server_tokens directive

You need to set server_tokens to off to hide the Nginx server version on Linux and Unix-like systems. Edit your nginx.conf file using a text editor such as vim/nano:
$ sudo vim /etc/nginx/nginx.conf
We can set server_tokens in http, server, or location context only. I am going to add to my http section:
server_tokens off;
Here is how it looks:

http {
        ## Basic Settings ##
        charset utf-8;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        log_not_found off;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        client_max_body_size 16M;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ## Hide Nginx version ##
        server_tokens   off;
        ## Security headers for Nginx ## 
        add_header Strict-Transport-Security "max-age=15768000" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header Referrer-Policy  strict-origin-when-cross-origin;
        add_header Feature-policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
        add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
        ## SSL Settings ##
        ssl_protocols TLSv1.3;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        ## Virtual Host Configs ##
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

Gracefully restart or reload the Nginx server:
$ sudo nginx -t
$ sudo nginx -s reload

Verify that Nginx version is hidden

Use the curl command as follows:
curl -I https://your-domain-name-here
curl -I https://www.cyberciti.biz

Look ma no version showed:

HTTP/2 200 
server: nginx
date: Tue, 23 Jun 2020 09:43:17 GMT
content-type: text/html; charset=UTF-8
strict-transport-security: max-age=15768000

Firefox confirmed that I successfully hide Nginx version too:
How to Hide Your NGINX Server Version Verification

Other possible values to hide Nginx version

The syntax is as follows:
server_tokens on | off | build | string;
The default set as follows on Linux, *BSD and Unix:
server_tokens on;

Remove version from server header and error pages

We can change to the following values to enable or disables emitting nginx version:

  1. on : Show version number.
  2. off : Turn off displaying version number.
  3. build : Make sure we emitt a build name along with nginx version. You must have the Nginx version 1.11.10.
  4. string : Only works with commercial subscription, starting from version 1.9.13 the signature on error pages and the “Server” response header field value can be set explicitly using the string with variables. An empty string disables the emission of the “Server” field.

Setting up custom version number in Nginx

For example, commercial subscription (Nginx Plus) users can set it as follows to fake server version and custom name:
server_tokens "NixCraft_WWW";
Reload the Nginx server:
# service nginx reload
Test it using the curl command curl -I http://127.0.0.1/
Hiding Nginx version number and setting custom version or name

The hiding version is security by obscurity

Yes, it is security by obscurity feature. It is one of the methods for defense in depth. However, it should not be the primary form of defense. You need to write safe code. Install a firewall, especially WAF (Web Application Firewall ). There is no reason to expose Nginx or PHP or Python version as it can be useful information for an attacker. Remember, Linux/Unix operating system, web apps/Nginx should remain secure regardless of whether the Nginx version is exposed or not. However, we are not going to do the attackers any favors by releasing version number. See “Top 25 Nginx Web Server Best Security Practices” for more information.

Conclusion

We have shown you how to easily hide the Nginx version on Linux or Unix based systems. Further, Nginx plus (commercial/paid option) users can set up a custom Nginx version. As always see Nginx docs here.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.