Attackers are constantly on the prowl, conducting reconnaissance on web servers to retrieve crucial details such as the Nginx version. With this information at hand, they can then leverage known vulnerabilities associated with the version of the Nginx web server and initiate an attack.
Hiding the version of Nginx is, therefore, one of the many ways of securing your Nginx web server and warding off potential attacks.
In this guide, we will explore how to hide the Nginx version in Linux.
Before you get started, ensure that you have an instance of Nginx web server installed and running on your Linux system.
Viewing Version Number of Nginx Web Server
Whenever you query the HTTP headers of a site hosted on Nginx, the version of Nginx is displayed by default among other details. In fact, if you browse a non-existent page of a website hosted on the Nginx web server, you will get a 404 error page with the version of Nginx displayed.
Similarly, you can view the version using the curl command to display the HTTP headers.
$ curl - I ip-address OR $ curl - I hostname
As explained, exposing the version of Nginx is not recommended as it can leave your web server prone to attacks. Let’s now see how to hide this information.
How to hide the version of Nginx using the server_tokens directive
The ‘server_tokens‘ directive is a parameter in Nginx that is responsible for displaying the version of Nginx on error pages and in the HTTP response header field. To hide the version of Nginx, this directive needs to be set to off.
To do this, open the default Nginx configuration file.
$ sudo nano /etc/nginx/nginx.conf
Locate the ‘server_tokens off‘ directive. By default, this is commented.
Uncomment it and save the changes.
For the changes to take effect, reload or restart the Nginx service.
$ sudo nginx -s reload OR $ sudo systemctl restart nginx
Confirm that the Nginx version is hidden
To verify that the version of Nginx is now hidden, now browse any error page on your web server and you will notice that this time around, the version will not be displayed.
Also, you can query the HTTP headers. Likewise, you will discover that the version is not displayed.
This confirms that the version of Nginx has been hidden from anyone that might want to spy or conduct some reconnaissance on your web server.
We hope that you found this guide insightful and that you can now hide your web server’s version. Your feedback on this article is welcome.
Also Read: How to harden and secure Nginx web server