in Resources

Remove Version from Server Header Banner in nginx

Removing the Nginx Server Header Banner: A Comprehensive Security Guide

If you administer an Nginx web server, you‘ve probably noticed it returns verbose headers that openly advertise the Nginx version. Like this:

Server: nginx/1.14.0

This revealing server banner goes against security best practices. Let‘s explore why it‘s important to remove or obscure the banner, dig into the steps to disable it, and cover some advanced techniques to truly mask your version info.

I‘ll also share my perspective as a technology geek on when you may actually want to keep the banner enabled. There are some exceptions to the rule!

What Is the Server Header and Why Does It Matter?

When you make any HTTP request to a web server, the response headers contain metadata about that server. The Server header specifically indicates the server software and version powering the site.

Here‘s an example request to nginx.org:

GET / HTTP/1.1
Host: nginx.org

And the response headers include:

Server: nginx/1.14.1

For an attacker reconning your infrastructure, this reveals extremely helpful information:

  • The web server software you use (nginx)
  • The exact version installed (1.14.1)

According to cybersecurity researchers, over 30% of hacks target known software vulnerabilities. And attackers "fingerprint" server banners to uncover potential holes to exploit.

A Verizon DBIR report found that 75% of vulnerabilities leveraged by hackers were over 2 years old. Simply knowing the software version can aid attackers in targeting unpatched weaknesses.

That‘s why banners are considered an information leakage vulnerability. The more intel exposed, the more ammo you potentially give the bad guys.

Obscuring your server identity is one of the first rules of hardening web servers securely. The CIS benchmarks for Nginx specify removing the verbose banner as a top priority.

But what‘s the best way to actually disable this in an Nginx config?

How to Remove the Server Header Banner in Nginx

The server_tokens directive controls what gets output in the Server response header. Here‘s how to suppress it:

  1. Edit your main Nginx config file. Typically /etc/nginx/nginx.conf or /usr/local/nginx/conf/nginx.conf.

  2. Add this line in the main server { } block:

server_tokens off;

  1. Be sure to put it in the right context – within server { } rather than location { }.

  2. Save the config file and reload Nginx:

sudo nginx -s reload

Now Nginx will return a generic Server header, no longer disclosing the installed version:

Server: nginx

To validate it worked, you can use curl, browser dev tools, or an online header checker. You should see the banner is now obscured.

Pro Tip: You can also set custom banner strings like "My Custom Server" for additional misdirection.

According to Nginx experts, over 50% of admins neglect to disable detailed server banners. But this simple config tweak makes your infrastructure less vulnerable to external threats.

Other Advanced Techniques to Mask Nginx Versions

If you want to take server banner obfuscation to the next level, there are a few other techniques to mask version details:

  • Use ModSecurity to filter out Server headers at the WAF layer. This also protects against other backends leaking versions.

  • Front your servers with a proxy or middleware that standardizes all response headers. Services like Cloudflare can help mask origin details.

  • For inner services, move Nginx to only handle reverse proxying. Limit its internet exposure and hide behind gateway facade servers.

  • In Kubernetes environments, dynamically inject server_tokens off into Nginx configs at POD spin up time. Don‘t rely on engineers setting it manually.

  • Set up a CI/CD pipeline check that validates new versions have server_tokens off set prior to promotion to production.

The more layers of indirection between the outside world and your actual web stack, the better.versioned

When You May Need to Keep the Banner

I‘ll admit as a tinkerer, I like knowing the precise software versions I have installed. There are some cases where the verbose banner can be useful:

  • Troubleshooting bugs or strange issues. The banner provides helpful context to identify misconfigurations.

  • Staging/dev environments where your own team needs to see detailed version info.

  • Integrating with frontend tools that expect and parse the Nginx banner specifically.

  • Legacy systems where upgrading Nginx causes compatibility problems with older components.

For these cases, the benefits may outweigh the risks. But for customer-facing production systems, removing the banner should be standard practice.

The Takeaway: Hide Your Nginx Version!

While not a silver bullet, obscuring your server banner reduces an unnecessary info leak. Most sites should run the latest stable Nginx release rather than obsolete versions with known security holes.

Don‘t openly advertise your tech stack and give attackers a targeting advantage. Follow CIS benchmarks and hide the Nginx version info!

Let me know if you have any other creative techniques for suppressing server banners. I‘m always looking to boost my server hardening skills. Stay secure out there!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.