How to Hide Nginx Server Version in Linux
In this short article, we will show you how hide Nginx server version on error pages and in the “Server HTTP” response header field in Linux. This is one of the key recommended practices in securing your Nginx HTTP and proxy server.
This guide assumes that you already have Nginx installed on your system or setup the full LEMP stack by following any of these tutorials below based on your Linux distribution:
- How to Install LEMP (Linux, Nginx, MariaDB, PHP-FPM) on Debian 9 Stretch
- How to Install Nginx, MariaDB and PHP (FEMP) Stack on FreeBSD
- How To Install Nginx, MariaDB 10, PHP 7 (LEMP Stack) in 16.10/16.04
- Install Latest Nginx 1.10.1, MariaDB 10 and PHP 5.5/5.6 on RHEL/CentOS 7/6 & Fedora 20-26
The “server_tokens” directive is responsible for displaying the Nginx version number and Operating system on error pages and in the “Server” HTTP response header field as shown in the following screenshot.
To disable this, you need to turn off the server_tokens directive in /etc/nginx/nginx.conf configuration file.
# vi /etc/nginx/nginx.conf OR $ sudo nano /etc/nginx/nginx.conf
Add the following line to http context as shwon in the screen shot below.
After adding above line, save the file and restart Nginx server to take new changes into effect.
# systemctl restart nginx OR $ sudo systemctl restart nginx
Now verify if its working.
Note: This will only hide the server version number, but not the server signature (name). If you want to hide the server name, compile Nginx from sources and include the
--build=name option to set a nginx build name.
If you are running PHP in your Nginx web server, I suggest you to Hide PHP Version Number.
To further secure and harden Nginx web server, check out our comprehensive guide to securing Nginx in Linux, which you will find useful:
In this article, we explained you how to hide Nginx server version in error pages and “Server” HTTP response header field, in Linux. If you have any queries, use the comment form below to reach us.