How to remove nginx & PHP versions from HTTP Header

Unless disabled both nginx and PHP give away their version in the HTTP Header. Here is what that looks like:

For security purposes it’s not a bad idea to prevent those versions from being shown. Mind you, security through obscurity is no real security. Having said that, here’s how to do it.

To disable the nginx version, in /etc/nginx/nginx.conf add server_tokens off; in the http section:

More information about server_tokens can be found in the nginx docs.

It’s not possible to disable just the PHP version in the X-Powered-By: PHP/5.3.3 header. However, it is possible to disable the header all together. There are two ways to do that:

1) in /etc/php.ini add expose_php = Off. This will disable the PHP header everywhere.

2) if you only want the X-Powered-By: PHP/5.3.3 header disabled for a certain host, add php_flag[expose_php] = off to the appropriate conf file in /etc/php-fpm.d/.

More information about expose_php can be found in the PHP manual.

With both headers sanitized, the HTTP Response Headers now look like this:

No more headers giving away the versions of both nginx and PHP.

5 thoughts on “How to remove nginx & PHP versions from HTTP Header”

  1. Thought I would contribute as this entry still comes up high on search –
    I prefer to completely hide Server info, and it is easy.

    Running debian, i apt-get nginx-extras
    and then edit /etc/nginx.conf
    and add the following after the http { #Basic settings

    more_set_headers ‘Server: My Quirky Server Name (not matching webserver)’;

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.