How to Hide nginx Web Server Version Signature and Remove X-Powered-By PHP Header on CentOS

If you are running a web server, by default it's showing the world what type of server installed and it is usually shown along with its version number. This information is ignored by most people, with the exception of hackers, who could use this information to launch targeted attacks against your web server and version specifically. In addition, if the version of your web server is known to be vulnerable to a specific exploit, the hacker would just need to use the exploit as part of his attack on your server.

You could check your server's signature from your browser by using Developer Tools (F12 on Firefox and Chrome).

Note: This does not solve any vulnerabilities, and thus does not remove the need to install updates, however it makes it slightly more difficult for the hacker.

Here's one example of your server response from above screenshot:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 17 Jul 2018 17:43:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.36
... omitted

Notice the Server: nginx/1.10.2 line from response header. It tells your visitor what's your web server and the version number. It even tells them that your backend is powered by PHP 5.6.36. This is not good for security reason. Let's hide them from our visitor.

Nginx

Modify nginx.conf configuration

On CentOS, your nginx configuration is located on /etc/nginx/nginx.conf.

$ sudo vi /etc/nginx/nginx.conf

Find the http section, this section defines configurations for nginx’s HttpCoreModule. Add the below directive:

server_tokens off;

This will configure nginx not send any version numbers in the HTTP header.

Removing the server name is possible, however, since nginx modules cannot be dynamically loaded, you would need to recompile nginx from source with the HttpHeadersMoreModule nginx module.

Reload nginx configuration

To apply the change, reload nginx service:

$ sudo service nginx reload

Try to refresh your browser. Your server response should be updated like this:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 17 Jul 2018 18:01:16 GMT
Content-Type: text/html; charset=UTF-8
... omitted

PHP

For server security reasons, it is recommended that you disable or hide this information from attackers who might be targeting your server by wanting to know whether you are running PHP or not.

Assuming a particular version of PHP installed on your server has security holes, and on the other side, attackers get to know this, it will become much easier for them to exploit vulnerabilities and gain access in to the sever through scripts.

$ sudo vi /etc/php.ini

Find the keyword expose_php and set its value to Off:

expose_php = off

If you're running PHP as FPM, then you'll need to reload PHP-FPM

$ sudo service php-fpm reload

After reloading, the response header X-Powered-By: PHP/5.6.36 should be missing.

Final Words

I hope that you now know how to hide nginx web server version signature and remove X-Powered-By PHP header on Centos. If you run into any issues or have any feedback feel free to drop a comment below.