4507-nginx-servertoken - Ensure server_tokens Directive Is Set to off
Rule ID
Category
Level
Compatible Versions
Description
- The server_tokens directive controls the display of the NGINX version number and operating system version in error pages and the Server HTTP response header field. This information should not be exposed.
Scan Frequency
Rationale
- Attackers can use these response headers to perform reconnaissance on the website and then target attacks based on specific known vulnerabilities related to the underlying technology. Hiding this version information can slow down and deter some potential attackers.
Risk Items
Audit Method
- Execute the following command to verify:
curl -I 127.0.0.1 | grep -i server
# If the result is as follows, it is recommended to turn off server_token
Server: nginx/1.14.0
- Execute the following commands:
To disable the server_tokens directive, set it to
off within the server block in nginx.conf:
server {
...
server_tokens off;
...
}
Impact
Default Value
- By default, server_tokens is enabled.
References
CIS Controls