While I’m auditing my website’s security with curl command to view HTTP Response Header. I see that nginx gives out quite some server’s info which should be hidden for security reason.
You can view your HTTP Response Header with curl command
$ curl -I http://domain.com/
This is the output from one of my Nginx web server
HTTP/1.1 200 OK Server: nginx/1.6.0 Date: Fri, 09 May 2014 05:19:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.5.12
Those information is available to the public if someone want to view it. I’m going to show you how to hide Nginx’s version and X-Powered-By (PHP’s version)
To remove X-Powered-By (PHP’s version)
Generally PHP’s configuration file ( php.ini ) should be located in /etc/ directory, to remove X-Powered-By you have to edit php.ini file
# nano /etc/php.ini
Search for expose_php, by default expose_php is On to display PHP version within the HTTP header.
expose_php = On
To remove X-Powered-By, turn expose_php off
expose_php = Off
Save php.ini file and restart Apache or php-fpm whatever you are running.
To restart Apache on CentOS/RedHat/Fedora
# service httpd restart
To restart Apache on Debian/Ubuntu/Linux Mint
# service apache2 restart
To restart php-fpm if you are running php-fpm with Nginx
# service php-fpm restart
To remove Nginx Version
Nginx will give out its version in HTTP response header and nginx default error pages. For security reason we will also need to hide Nginx version. To hide Nginx version, we need to change server_tokens parameter from on (it’s on by default) to off in Nginx configuration file.
# nano /etc/nginx/nginx.conf
and add server_tokens off; inside http { your nginx configurations here }.
http { server_tokens off; }
# service nginx restart
$ curl -I http://domain.com/
HTTP/1.1 200 OK Server: nginx Date: Fri, 09 May 2014 05:53:47 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive