In the realm of web servers, one crucial aspect of server security is minimizing the amount of information disclosed about the web server software powering your site. This practice, known as "server header hardening" or "server banner suppression" can significantly bolster your server's defenses against potential threats.
For example, let's take a look at this received headers...
$ curl --head testsite.com
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 08 Mar 2023 08:56:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12920
Connection: keep-alive
X-Powered-By: Express
Cache-Control: public, max-age=0
Sensitive information that we obtain:
- Web server is an Nginx version 1.18.0
- It's publishing a site developed using ExpressJS
Let's delve into how you can hide this information in Debian using Nginx.
Installing additional modules
For those looking to customize server headers without the bulk of the nginx-extras package, consider installing the libnginx-mod-http-headers-more-filter
module:
sudo apt-get install libnginx-mod-http-headers-more-filter
This lightweight module empowers you to manipulate HTTP headers within Nginx configurations, providing flexibility while keeping resource usage low.
Reducing Information Disclosure
In your nginx.conf
file (typically located in /etc/nginx/
), locate the http
block. Here, you'll make modifications to minimize information disclosure. Uncomment the server_tokens off;
directive if present. This directive disables the version number from being displayed in server responses, a critical step in reducing the attack surface:
http {
# Other configurations...
server_tokens off;
# Other configurations...
}
Customizing Server Headers
With the libnginx-mod-http-headers-more-filter
module installed, you can customize the server header to obscure specific details. Add the following line within the http
block to replace the default server header with a custom one, such as "SomoIT webserver":
more_set_headers 'Server: My own webserver';
Hide the sites X-Powered-By
To remove the "X-Powered-By" header in Nginx, you can use the proxy_hide_header
directive in your Nginx configuration.
Probably you would have to configure it at site level in any of the config files located in /etc/nginx/sites-available/:
server {
# Other server configurations...
location / {
# Other location directives...
proxy_hide_header X-Powered-By;
}
# Other server blocks and configurations...
}
Restarting Nginx
After making these crucial adjustments, save the nginx.conf
file and restart the Nginx service to apply the new configuration:
sudo systemctl restart nginx
Checking the result
Let's repeat the curl command to obtain the headers and check...
$ curl --head testsite.com
HTTP/1.1 200 OK
Server: My own webserver
Date: Thu, 08 Mar 2023 09:12:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12920
Connection: keep-alive
Cache-Control: public, max-age=0
- Server header value now is "My own webserver"
- No X-Powered-By header is shown
Conclusion
Minimizing information disclosure one aspect of a comprehensive security strategy. It does not only reduces the attack surface but also contributes to user privacy.