How to Verify Server Tokens Are Disabled in Nginx for Enhanced Security


2 views

Server tokens in web servers like Nginx expose version information in HTTP headers, making it easier for attackers to identify potential vulnerabilities in specific software versions. The pentest report correctly identified this as an information leakage vulnerability that should be mitigated.

To disable server tokens in Nginx, you've correctly added this directive to your nginx.conf:

http {
    server_tokens off;
    # Other http block configurations...
}

After making this change, remember to reload Nginx:

sudo nginx -s reload

Here are several reliable ways to verify the change has taken effect:

1. Using curl Command

The simplest way to check headers:

curl -I http://yourdomain.com

Sample output before and after:

# Before (shows version)
Server: nginx/1.18.0 (Ubuntu)

# After (generic response)
Server: nginx

2. Browser Developer Tools

In Chrome/Firefox:

  1. Open Developer Tools (F12)
  2. Go to Network tab
  3. Reload page
  4. Check Response Headers for Server field

3. Online Header Checkers

Tools like:

For comprehensive testing:

nmap -sV --script http-headers yourdomain.com -p 80,443

This will show detailed header information including whether server tokens are properly suppressed.

Sometimes the change might not appear to work because:

  • The configuration wasn't properly reloaded
  • There are multiple server blocks with conflicting settings
  • Cloudflare or other CDNs might override headers

For thorough testing, create a test endpoint with a unique response:

location /server-test {
    add_header X-Test "Token check";
    return 200;
}

Exposing server version information through HTTP headers (like "Server: nginx/1.18.0") gives potential attackers valuable intelligence about your stack. Our recent penetration test flagged this as a medium-risk finding that needs remediation.

In your nginx.conf file, add this directive either in the http, server, or location context:

http {
    # Other configurations...
    server_tokens off;
}

Curl Command

curl -I https://yourdomain.com

Before the fix, you might see:

Server: nginx/1.18.0

After applying server_tokens off, it should show:

Server: nginx

Browser Developer Tools

Check the Network tab in Chrome/Firefox DevTools for response headers. The Server header should be minimized.

Automated Testing with Nmap

nmap -sV --script http-headers yourdomain.com -p 80,443

This scans for version information while checking headers.

  • If using load balancers, check headers at each layer
  • Some modules (like PHP-FPM) may add their own version headers
  • Test both HTTP and HTTPS endpoints

For comprehensive protection:

# Hide PHP version
expose_php = Off  # In php.ini

# Remove X-Powered-By
fastcgi_hide_header X-Powered-By;

Here's a bash script to validate the configuration:

#!/bin/bash
DOMAIN="yourdomain.com"
RESPONSE=$(curl -Is "https://$DOMAIN" | grep -i '^server:')

if [[ "$RESPONSE" == *"nginx"* && "$RESPONSE" != *"/"* ]]; then
    echo "✅ Server tokens properly hidden"
else
    echo "❌ Server version exposed: $RESPONSE"
fi