fastcgi_hide_header
The 'fastcgi_hide_header' directive controls which HTTP headers from a FastCGI response are hidden from clients.
Description
The 'fastcgi_hide_header' directive is used in NGINX configuration to specify which headers from the FastCGI server's response should not be sent to the client. This directive can prevent specific headers from being exposed for security or operational reasons, thereby helping to maintain a clean interface by hiding unnecessary or sensitive information from clients. It accepts a single argument, which is the name of the HTTP header you wish to hide. For instance, specifying 'fastcgi_hide_header X-Powered-By;' would prevent the 'X-Powered-By' header from being returned to the client, even if the FastCGI application includes it in its response.
This directive can be placed in various contexts including 'http', 'server', and 'location', giving it flexibility in configuration depending on where you want to apply the header suppression. When the specified header appears in a FastCGI response, NGINX will simply not include it in the final HTTP response sent back to the client, thus not exposing potentially sensitive information. This feature is particularly useful when dealing with applications that disclose information that may be used for fingerprinting attacks or when configuring applications with specific security needs in mind.
Config Example
location /api {
fastcgi_pass 127.0.0.1:9000;
fastcgi_hide_header X-Powered-By;
}Be cautious to avoid hiding necessary headers that may be needed by clients for functionality or debugging.
Ensure that the specified header names are correct and do not contain typographical errors, as headers are case-sensitive.
The directive will not affect headers that are modified or generated by NGINX itself; it only applies to headers returned from the FastCGI backend.