Hi Teo.
On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
# HG changeset patch
# User Theodoros Tyrovouzis <teoty...@gmail.com <mailto:teoty...@gmail.com>>
# Date 1697653906 -10800
# Wed Oct 18 21:31:46 2023 +0300
# Node ID 112e223511c087fac000065c7eb99dd88e66b174
# Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
Add "server_identification" http option that hides server information
disclosure in responses
In its responses, nginx by default sends a "Server" header which
contains "nginx" and the nginx version. Most production systems would
want this information hidden, as it is technical information disclosure
(https://portswigger.net/web-security/information-disclosure). nginx
does provide the option "server_tokens off;" which hides the version,
but in order to get rid of the header, nginx needs to be compiled with
the headers_more module, for the option "more_clear_headers". This patch
provides an http option for hiding that information, which also hides
the server information from the default error responses.
An alternative would be to add a new option to server_tokens, e.g.
"incognito".
What's wrong with this directive?
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
[snipp]
Regards
Alex
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
