nginx: Remove "Server" response header - not honour what said in doco

Question

Nginx version: 1.15.8

According to nginx doc: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens:

"starting from version 1.9.13 the signature on error pages and the “Server” response header field value can be set explicitly using the string with variables. An empty string disables the emission of the “Server” field."

But when I put in this

server_tokens '';

it complains:

nginx: [emerg] invalid value "" 

Also tried:

server_tokens "";

server_tokens;

None of them work. Note that I want to remove the "Server" header completely not just the version which can be done straightforwardly with "server_tokens off;"

Does anyone have it working this way ? Comments & suggestions are welcome.

Thanks,

Answer 1

Use the following in the http directive, it is more correct (from official readme under 'Synopsis')

more_set_headers 'Server: some string';

For a more complete answer for others. If you are using nginx commercial version, you could just use the following in your http directive: (http core module docs)

server_tokens 'string';

If using modsecurity v2-2.9, you can add to your relevant modsecurity conf file the following: SecServerSignature String

This doesnt work for modsecurity v3, seems to be deprecated.

Answer 2

Additionally, as part of our commercial subscription, starting from version 1.9.13 the signature on error pages and the “Server” response header field value can be set explicitly using the string with variables. An empty string disables the emission of the “Server” field.

Source: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

It requires a commercial subscription.

Otherwise, install ngx_headers_more module.

And add the following to your nginx conf, and restart nginx. This will remove the "server" header. -

more_clear_headers  "Server";
more_clear_headers  "server";

Installation: https://github.com/openresty/headers-more-nginx-module#installation