2.5.1 Ensure server_tokens directive is set to 'off'

Information

The server_tokens directive is responsible for displaying the NGINX version number and operating system version on error pages and in the Server HTTP response header field. This information should not be displayed.

Rationale:

Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Hiding the version will slow down and deter some potential attackers.

Solution

To disable the server_tokens directive, set it to off inside of every server block in your nginx.conf or in the http block:

server {
...
server_tokens off;
...
}

Default Value:

The default value of server_tokens is on.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: 4cdc59e95fdbb993621a29733f675c3fe72092fd487d11b7dc8eb85b3a6a102e