Teo, You might want to have a look at: https://trac.nginx.org/nginx/ticket/936
If my understanding is correct, this feature is already offered as part of Nginx Plus. Hope this helps, A. On Thu, Oct 19, 2023 at 3:16 PM Teo Tyrov <teoty...@gmail.com> wrote: > Sorry, I forgot to add the mailing list to the recipients > > Best, > Thodoris > > On Wed, Oct 18, 2023 at 11:17 PM Aleksandar Lazic <al-ng...@none.at> > wrote: > >> Hi Teo. >> >> On 2023-10-18 (Mi.) 21:18, Teo Tyrov wrote: >> > Hello Alex, >> > >> > This directive removes only the version, so it is still disclosed that >> > the nginx server is used. I would be asked to remove the entire header >> > in my previous company, which as far as I know, is not possible without >> > external modules. >> >> got it. >> >> > On Wed, Oct 18, 2023 at 10:05 PM Aleksandar Lazic <al-ng...@none.at >> > <mailto:al-ng...@none.at>> wrote: >> > >> > Hi Teo. >> > >> > On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote: >> > > # HG changeset patch >> > > # User Theodoros Tyrovouzis <teoty...@gmail.com >> > <mailto:teoty...@gmail.com> <mailto:teoty...@gmail.com >> > <mailto:teoty...@gmail.com>>> >> > > # Date 1697653906 -10800 >> > > # Wed Oct 18 21:31:46 2023 +0300 >> > > # Node ID 112e223511c087fac000065c7eb99dd88e66b174 >> > > # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc >> > > Add "server_identification" http option that hides server >> > information >> > > disclosure in responses >> > > >> > > In its responses, nginx by default sends a "Server" header which >> > > contains "nginx" and the nginx version. Most production systems >> > would >> > > want this information hidden, as it is technical information >> > disclosure >> > > (https://portswigger.net/web-security/information-disclosure >> > <https://portswigger.net/web-security/information-disclosure>). >> nginx >> > > does provide the option "server_tokens off;" which hides the >> > version, >> > > but in order to get rid of the header, nginx needs to be compiled >> > with >> > > the headers_more module, for the option "more_clear_headers". >> > This patch >> > > provides an http option for hiding that information, which also >> > hides >> > > the server information from the default error responses. >> > > >> > > An alternative would be to add a new option to server_tokens, >> e.g. >> > > "incognito". >> > >> > What's wrong with this directive? >> > >> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens < >> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens> >> > >> > [snipp] >> > >> > Regards >> > Alex >> > >> >> _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
