Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Hide server tokens #414
Good point. Do you see any other rationale besides the fact that a would-be attacker can determine what vulnerabilities your server has based on your nginx version?
I've made this update to our Listed server as a preliminary test to make sure it doesn't throw anything off. Will update main servers after that.
It's mainly to reduce information leakage for the reason you suggested.
Depending on how you read the advice from Apache httpd docs: https://httpd.apache.org/docs/current/mod/core.html#servertokens, it may seem ineffective or even a bad idea!? I strongly disagree with their statement regarding security regarding tokens on that page, as would Qualys, OWASP, and plenty of other security auditing software.
Regardless, if you don't need it for your own debugging purposes then I don't see the benefit of sending extra, redundant, bytes in every response.
Could also be read as "if you're not trying to debug, then it doesn't hurt to."
That's true in the sense that hiding tokens does not itself prevent someone exploiting a vulnerability. It definitely does make it more difficult for an attacker to determine the version and that may assist them in finding a vulnerability to exploit.
I'd argue that's a truism. At the same time though, I'm not sure anyone would say revealing more information about your system than necessary is good security.
Just my $0.02.