Remove Server Header -

Dermot Butterfield - 24 June 2018


Remove Server Header

The default state of an NGINX server is to have the Server set. This returns something like Server: nginx/1.12.1. Here is a list of all the published exploits for nginx to give you an idea why you might not want Server header and the version published, NGINX vulnerabilities. If you want to see what your server headers are you can use The best approach is to remove the header altogether. This requires the installation of nginx-extras.
# Debian/Ubuntu the first 
~/$> sudo apt-get install nginx-extras

# RHEL and Amazon Linux
~/$> yum install nginx-plus-module-headers-more

Remove Server Header

Once that is installed and the service restarted you can add the following to your nginx config file. If you specify no value the Header will be disabled.
# /etc/nginx/nginx.conf

http {
    # Basic Settings
    more_set_headers 'Server: ';

Override Server Header

If you specify a value it will replace the existing value. The next option is to simply replace the value with something meaningless.
# /etc/nginx/nginx.conf

http {
    # Basic Settings
    more_set_headers 'Server: None Of Your Business';

Remove Server Version from Header

Finally if you cannot do any of the other approaches this is just good practice and a minimum for security as it prevents the would be nefarious individual from knowing what exploits are available in the specific version of the server you are running.
# /etc/nginx/nginx.conf

http {
    # Basic Settings
    server_tokens off;

By removing the # before server_token off; you will override the default value of on for this configuration property. The result of the change results in the stripping of the version from the header. Server: nginx

Contact Us

I hope you found this useful or if you have any questions don't hesitate to leave a comment or contact support[@]tomred[.]net



I have spent most of my time working on these little bits of logic or snippets. These come from problems or issues I have encountered over the year. These are insights I have researched or provided as code review feedback.

Oracle WebCenter (FatWire)

During my time working in consulting I was tasked many times with delivering FatWire sites. I took notes due to the lack of useful documentation at the time. These are the results of those notes made and shared.


I believe the majority of time on a project is spent with the UI. Web is no exception. I have compiled a set of articles covering HTML, CSS and JS with the intention of taking the sting out of this work.


A space dedicated to all those things you need to know beyond writing code. This covers Linux, Windows, Git and SVN among other hopefully useful nuggets.


I picked up some pointers over the years consulting for government and banking sectors before entering a PCI DSS development environment. This section covers aspects like coding, testing, code review and best practice.


Apps is a section which offers access to bits and pieces I have put together over the last few years. This includes Random Password Generator and Base64 Encoder.