'nginx "server_tokens" configuration ignored
nginx.conf:
server_tokens off;
Why could this get ignored, the header is still sent:
Server: nginx
No, other included config files do not contain server_tokens configuration.
Yes, I did restart all services.
Solution 1:[1]
To cite the docs on the server_tokens directive:
Enables or disables emitting nginx version in error messages and in the “Server” response header field.
According to the docs, it thus doesn't prevent the generation of the Server header but only prevents the addition of the exact version. If you want to completely remove the servers header, you could use the ngx_headers_more module.
Solution 2:[2]
"The setting works as documented"
The above is kinda insane... (Sorry Hulgar Just, but if you don't understand the rant you should probably not answer.)
Nginx doesn't need to broadcast out its version and the server OS, basically ever, outside of debug situations, shouldn't actually be a question. nor should people wanting to stop that insane behavior be a problem to anyone who knows anything about infosec.
As it stands site failures even with the "feature' enabled, results in disclosure of information that is unnecessary for visitors. The absolute best you can do is disable it in all your site configs, but when they die you still have a problem. Patching is the only way at the moment sadly...
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Holger Just |
| Solution 2 | user18870365 |