Question Removing nginx Server header

QWeb Ric · Tuesday at 2:33 AM

One of our clients has had a pen test performed on their website, and the tester has asked us to remove the "Server: nginx" response header.

We run the default Apache + nginx configuration on all of our servers and, as far as I understand it, this header is generated by nginx and cannot be disabled.

I've found a lot of references to various third party modules which can then be configured to remove the header again after nginx has added it, but I'm struggling to find any up to date information on this, particularly in terms of compatibility with Plesk. Most of the related forum threads are from 2016 - 2018.

To the point - what's the current, recommended method to remove this response header when using Plesk? Is there a directive I can just add to the additional nginx directives block either per-site or globally? Or a Plesk-safe module I can install either via Plesk or dnf/yum (Almalinux here)?

scsa20 · Wednesday at 2:46 AM

Honestly you could and probably should just turn it off for all the sites. This is done by editing the plesk.ini file and rebuilding the domain configs. Refer to https://support.plesk.com/hc/en-us/...X-Powered-By-for-all-websites-hosted-in-Plesk for instructions how to turn it off.

If you want to disable it for just a single site, go to the domain in question then go to Hosting & DNS > Apache & nginx and add the following to the Additional nginx directive:

NGINX:

Header unset X-Powered-By;

Or is it for Additional directives for HTTP or HTTPS? Can't remember, it's one of those 3.

QWeb Ric · Wednesday at 3:29 AM

scsa20 said:
Honestly you could and probably should just turn it off for all the sites. This is done by editing the plesk.ini file and rebuilding the domain configs. Refer to https://support.plesk.com/hc/en-us/...X-Powered-By-for-all-websites-hosted-in-Plesk for instructions how to turn it off.

If you want to disable it for just a single site, go to the domain in question then go to Hosting & DNS > Apache & nginx and add the following to the Additional nginx directive:

NGINX:

Header unset X-Powered-By;

Or is it for Additional directives for HTTP or HTTPS? Can't remember, it's one of those 3.

Thanks, but it's the "server: nginx" header that I'm trying to get rid of, either per-site or globally. Worth ditching the powered-by headers too I suppose, but somehow the pen tester didn't pick up on those.

scsa20 · Wednesday at 4:39 AM

The "server: nginx" is part of the X-Powered-By header, just remove it.

QWeb Ric · Wednesday at 4:45 AM

scsa20 said:
The "server: nginx" is part of the X-Powered-By header, just remove it.

Hmm. Doesn't seem to be the case for me!

xPoweredByHeader = off; does remove the x-powered-by: PleskLin header, but the server: nginx and even the x-powered-by: PHP/x.x.xx headers are left in-tact.

I wonder if it's because we're running PHP as an FPM app. Perhaps this causes these headers to be added in after the Plesk config tells nginx not to include them?

Edit: To clarify, we're running nginx as a proxy with PHP as an Apache FPM app.

Question Removing nginx Server header

QWeb Ric

Basic Pleskian

scsa20

Just a nobody

QWeb Ric

Basic Pleskian

scsa20

Just a nobody

QWeb Ric

Basic Pleskian

Similar threads