Skip to content

Disable server_tokens directive in NGINX #9

New issue
New issue
Open
Open
Disable server_tokens directive in NGINX#9
@JJediny

Description

@JJediny
JJediny
opened on Jul 10, 2017

Draft CIS Benchmark 1.1.10

Description

By default NGINX will happily tell a user what version of NGINX is in use. This is valuable information to an attacker, and should be turned off by making use of the server\_tokens directive.

Rationale

Potential attackers may check if your version of NGINX contains known vulnerabilities. Hiding the version will slow down and mitigate potential attackers.

Remediation

To disable the server\_tokens directive, set if to off inside a server block in your nginx.conf: server { ... server_tokens off; ... }

Audit

In the NGINX configuration file nginx.conf ensure the server\_tokens directive is set to off. You can also check a 404 page provided by NGINX and see if it displays a version number.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions