"server_tokens off" still showing server software

Hi there

We’re running a site for a large company using 0.5.35. Their IT
security team insists that the “Server: nginx” HTTP header must be
removed. I’ve set “server_tokens off” in both http and server
sections, and the version number is no longer shown, but I still get
“Server: nginx”.

I need to remove this completely, as they may actually insist we
change server software if this is not done.

Is there a way to do this through config?

In the meantime, as I don’t have time to learn the ngx code well
enough to add a config directive of my own, I’ve removed the
following lines in src/http/ngx_http_header_filter_module.c, rebuilt,
and the header is, obviously, no longer sent.

But will this cause other problems?

48: static char ngx_http_server_string[] = “Server: nginx” CRLF;
49: static char ngx_http_server_full_string[] = "Server: " NGINX_VER
CRLF;

127: { ngx_string(“Server”), offsetof(ngx_http_headers_out_t,
server) },

243: if (r->headers_out.server == NULL) {
244: len += clcf->server_tokens ?
sizeof(ngx_http_server_full_string) - 1:
245:
sizeof(ngx_http_server_string) - 1;
246: }

284: + r->server_name.len

295: + r->server_name.len

369: if (r->headers_out.server == NULL) {
370: if (clcf->server_tokens) {
371: p = (u_char *) ngx_http_server_full_string;
372: len = sizeof(ngx_http_server_full_string) - 1;
373:
374: } else {
375: p = (u_char *) ngx_http_server_string;
376: len = sizeof(ngx_http_server_string) - 1;
377: }
378:
379: b->last = ngx_cpymem(b->last, p, len);
380: }

447: b->last = ngx_copy(b->last, r->server_name.data, r-

server_name.len);

I hope this doesn’t go against the whole nginx philosophy - I’m
normally quite proud about nginx server tokens!
But if it’s either “do this or use Apache”, then I’d rather do this …

Many thanks,
Igor

On Mon, Mar 10, 2008 at 06:20:15PM +0000, Igor C. wrote:

284: + r->server_name.len
376: len = sizeof(ngx_http_server_string) - 1;
But if it’s either “do this or use Apache”, then I’d rather do this …
The removing this code will not cause other problems.
As to disabling Server header via configuration file, I do it only
after Apache team does the same thing. I believe it will never be.

On 10 Mar 2008, at 18:43, Igor S. wrote:

after Apache team does the same thing. I believe it will never be.
Thanks Igor. You’re right about Apache too, of course - I thought its
“ServerTokens” directive allowed “Off”, but it seems I was wrong.

Best wishes
Igor