server_tokens
The 'server_tokens' directive controls whether NGINX includes the server version in HTTP response headers.
Description
The 'server_tokens' directive in NGINX is used to manage the visibility of version information in the HTTP response headers. By default, when 'server_tokens' is set to 'on', it exposes the version of the NGINX server in the 'Server' response header. This can potentially reveal information that could be useful to attackers. To enhance the security of the server, setting this directive to 'off' will prevent the inclusion of NGINX version details and instead simply returns 'nginx' as the server identification. Furthermore, the directive can also accept the parameter 'build' which will show version information only on error pages, keeping it hidden in normal responses. This behavior can help minimize the attack surface by not allowing attackers to easily identify the server version to exploit known vulnerabilities.
Config Example
http {
server_tokens off;
}Setting 'server_tokens off' does not prevent the version from being shown in error pages unless specified properly with 'build'.
Ensure to test your configuration after setting this directive to avoid unexpected behavior.
This directive must be placed in the 'http', 'server', or 'location' context. If placed incorrectly, it won't take effect.