• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Removing nginx Server header

QWeb Ric

Basic Pleskian
Server operating system version
AlmaLinux 9.3
Plesk version and microupdate number
Plesk Obsidian 18.0.64
One of our clients has had a pen test performed on their website, and the tester has asked us to remove the "Server: nginx" response header.

We run the default Apache + nginx configuration on all of our servers and, as far as I understand it, this header is generated by nginx and cannot be disabled.

I've found a lot of references to various third party modules which can then be configured to remove the header again after nginx has added it, but I'm struggling to find any up to date information on this, particularly in terms of compatibility with Plesk. Most of the related forum threads are from 2016 - 2018.

To the point - what's the current, recommended method to remove this response header when using Plesk? Is there a directive I can just add to the additional nginx directives block either per-site or globally? Or a Plesk-safe module I can install either via Plesk or dnf/yum (Almalinux here)?
 
Honestly you could and probably should just turn it off for all the sites. This is done by editing the plesk.ini file and rebuilding the domain configs. Refer to https://support.plesk.com/hc/en-us/...X-Powered-By-for-all-websites-hosted-in-Plesk for instructions how to turn it off.

If you want to disable it for just a single site, go to the domain in question then go to Hosting & DNS > Apache & nginx and add the following to the Additional nginx directive:

NGINX:
Header unset X-Powered-By;

Or is it for Additional directives for HTTP or HTTPS? Can't remember, it's one of those 3.
 
Honestly you could and probably should just turn it off for all the sites. This is done by editing the plesk.ini file and rebuilding the domain configs. Refer to https://support.plesk.com/hc/en-us/...X-Powered-By-for-all-websites-hosted-in-Plesk for instructions how to turn it off.

If you want to disable it for just a single site, go to the domain in question then go to Hosting & DNS > Apache & nginx and add the following to the Additional nginx directive:

NGINX:
Header unset X-Powered-By;

Or is it for Additional directives for HTTP or HTTPS? Can't remember, it's one of those 3.
Thanks, but it's the "server: nginx" header that I'm trying to get rid of, either per-site or globally. Worth ditching the powered-by headers too I suppose, but somehow the pen tester didn't pick up on those.
 
The "server: nginx" is part of the X-Powered-By header, just remove it.
Hmm. Doesn't seem to be the case for me!

xPoweredByHeader = off; does remove the x-powered-by: PleskLin header, but the server: nginx and even the x-powered-by: PHP/x.x.xx headers are left in-tact.

I wonder if it's because we're running PHP as an FPM app. Perhaps this causes these headers to be added in after the Plesk config tells nginx not to include them?

Edit: To clarify, we're running nginx as a proxy with PHP as an Apache FPM app.
 
Hmm. Doesn't seem to be the case for me!

xPoweredByHeader = off; does remove the x-powered-by: PleskLin header, but the server: nginx and even the x-powered-by: PHP/x.x.xx headers are left in-tact.

I wonder if it's because we're running PHP as an FPM app. Perhaps this causes these headers to be added in after the Plesk config tells nginx not to include them?

Edit: To clarify, we're running nginx as a proxy with PHP as an Apache FPM app.
Remove x-powered-by: PHP header you should edit php ini, globally /opt/plesk/php/7.4/etc/php.ini (7.4 is the version) and restart apache. nginx also I am still looking for.
 
[...] but the server: nginx[...]
As I understand, there is no built-in ability; it is hardcoded. As an option, you can hide nginx/website behind CDN.

x-powered-by: PHP/x.x.xx
 
Back
Top