Open oxismailxo opened 3 years ago
Usually one would modify the /etc/nginx/nginx.conf
and do
server_tokens "";
However, this only works for commercial nginx versions and not for nginx proxy manager. You would have to compile from source and patch the disclosed version information. Alternatively, you would have to install additional modules like nginx-extras
, which allows stuff like this.
Note that hiding server banners is security through obscurity. You should rather focus on a proper patch management process to keep your assets updated with the most recent patch releases. Disclosing openresty
in a server's HTTP response does not introduce any security issues.
Currently, the configuration specifies a best practice directive such
server_tokens off;
This successfully hides the exact version number of openresty. This is sufficient from a security perspective.
Alright @l4rm4nd, thank you so much for the clarification & the detailed answer!
I appreciate your help.
Great response @l4rm4nd
FYI openresty is compiled for NPM here should anyone feel like suggesting tweaks in future.
Great response @l4rm4nd
FYI openresty is compiled for NPM here should anyone feel like suggesting tweaks in future.
So if one really wants to alter the disclosed openresty
product name, it should be possible via an additional build option in build-openresty. Just define your custom name like MyCustomServerName
and specify it for the ./configure
call:
./configure \
...
--build=MyCustomServerName \
...
Yeah it's possible. You can open a PR on the docker-nginx-full project to test that and CI will build it for you. Beware that builds take over an hour with all the architectures to build for.
Issue is now considered stale. If you want to keep it open, please comment :+1:
Hello NPM community,
is it possible to hide Server: openresty from the HTTP headers? if yes how?, please
Thank you in advance .