How to Hide nginx Web Server Version Signature and Remove X-Powered-By PHP Header on CentOS

32686
Share:
how-to-hide-nginx-web-server-version-signature-and-remove-x-powered-by-php-header-on-centos

If you are running a web server, by default it's showing the world what type of server installed and it is usually shown along with its version number. This information is ignored by most people, with the exception of hackers, who could use this information to launch targeted attacks against your web server and version specifically. In addition, if the version of your web server is known to be vulnerable to a specific exploit, the hacker would just need to use the exploit as part of his attack on your server.

You could check your server's signature from your browser by using Developer Tools (F12 on Firefox and Chrome).

Firefox Developer Tools

Note: This does not solve any vulnerabilities, and thus does not remove the need to install updates, however it makes it slightly more difficult for the hacker.

Here's one example of your server response from above screenshot:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 17 Jul 2018 17:43:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.36
... omitted

Notice the Server: nginx/1.10.2 line from response header. It tells your visitor what's your web server and the version number. It even tells them that your backend is powered by PHP 5.6.36. This is not good for security reason. Let's hide them from our visitor.

Nginx

Modify nginx.conf configuration

On CentOS, your nginx configuration is located on /etc/nginx/nginx.conf.

$ sudo vi /etc/nginx/nginx.conf

Find the http section, this section defines configurations for nginx’s HttpCoreModule. Add the below directive:

server_tokens off;

This will configure nginx not send any version numbers in the HTTP header.

Removing the server name is possible, however, since nginx modules cannot be dynamically loaded, you would need to recompile nginx from source with the HttpHeadersMoreModule nginx module.

Reload nginx configuration

To apply the change, reload nginx service:

$ sudo service nginx reload

Try to refresh your browser. Your server response should be updated like this:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 17 Jul 2018 18:01:16 GMT
Content-Type: text/html; charset=UTF-8
... omitted

PHP

For server security reasons, it is recommended that you disable or hide this information from attackers who might be targeting your server by wanting to know whether you are running PHP or not.

Assuming a particular version of PHP installed on your server has security holes, and on the other side, attackers get to know this, it will become much easier for them to exploit vulnerabilities and gain access in to the sever through scripts.

$ sudo vi /etc/php.ini

Find the keyword expose_php and set its value to Off:

expose_php = off

If you're running PHP as FPM, then you'll need to reload PHP-FPM

$ sudo service php-fpm reload

After reloading, the response header X-Powered-By: PHP/5.6.36 should be missing.

Final Words

I hope that you now know how to hide nginx web server version signature and remove X-Powered-By PHP header on Centos. If you run into any issues or have any feedback feel free to drop a comment below.

Tags
Share:

4 comments

  1. Сколько стоит диплом о высшем
    образовании купить диплом о высшем образовании в чебоксарах

  2. Приветствуем всех жителей!

    Вы ищете лучший способ продвижения своего товара или услуг?
    Присоединяйтесь к нам в телеграм групп объявлений по России!
    У нас вы найдете хорошие возможности для публикации
    объявлений, привлечения новых клиентов и
    расширения вашей аудитории.
    Независимо от того, что вы размещаете — товары, услуги или вакансии, наша папка
    в telegram поможет Вам найти вашу аудиторию.
    Мы предоставляем удобную площадку для публикации объявлений,
    где вы сможете быстро и эффективно добавить ваше предложение до многих потенциальных клиентов.

    Присоединяйтесь к нам сегодня и начните эффективное продвижение своего товара!

    Обратите внимание! В описании каждой группы и
    в закрепленном сообщении прописаны правила группы.
    Не нарушайте их, чтобы это действие не привело к бану.

    Присоединиться сейчас: Россия

  3. Since 85% of back pain is even now undiagnosable and as such difficult to prescribe treatment for the ideal principle is to start
    by wanting to relieve the pain most cost non-invasive and efficient
    methods possible.

Leave a reply

Your email address will not be published. Required fields are marked *