Closed jimsihk closed 2 years ago
I would recommend everyone to apply all these headers, but I'm afraid they can break some webapps. Therefor I don't think we should include this by default.
Removing the server info is good practice and can't do any harm. If you can remove the add_header
's then I can merge this
Thanks for your thought, branch updated
Thank you for your contribution @jimsihk !
NGINX and PHP-FPM versions are currently exposed in HTTP headers which are considered not secure enough as exposed OS info. Also added HTTP response headers for higher security.
References: https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/ https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps https://beaglesecurity.com/blog/article/nginx-server-security.html https://stackoverflow.com/questions/962230/hide-x-powered-by-nginx