2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure

Information

The server and x-powered-by header may specify the underlying technology used by an application. The NGINX reverse proxy may pass these headers if not explicitly directed to remove them.

Rationale:

Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Removing these headers will reduce the likelihood of targeted attacks.

Solution

Implement the below directives as part of your location block. Edit /etc/nginx/nginx.conf and add the following:

location /docs {
....
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
....
}

Default Value:

This is not implemented by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: 4423e5d13944c0f4ea5232f03ea30394a63bd7cc3ca7f82d34a30d207190fcd1