How to disable server_tokens in Nginx

Reducing the version detail that Nginx sends in default headers and generated error pages removes one easy fingerprint from every request path. It does not harden the service by itself, but it reduces casual version disclosure and makes routine banner matching less direct.

The server_tokens directive controls whether the Server response header and Nginx-generated error pages show only nginx or a versioned banner such as nginx/1.27.5. Current Nginx documentation allows the directive in the http, server, or location context, and the most specific active context wins for the response being served.

For a site-wide result, place server_tokens off; in the global http context or ensure the default server on each listen socket also inherits it, because some errors can happen before name-based virtual host selection finishes. The setting still leaves the plain nginx server name unless a separate header rewrite mechanism or commercial subscription feature is used, and reverse proxies or CDNs can replace the Server header before clients see it.

Related: How to improve Nginx security
Related: How to add custom response headers in Nginx

Steps to disable server_tokens in Nginx:

  1. Open a terminal with a user account that can run sudo.
  2. Open the file that sets global http directives for Nginx. 
    $ sudoedit /etc/nginx/nginx.conf

    On split layouts, a file included from the http block under /etc/nginx/conf.d/ can carry the same site-wide setting.

    sudoedit uses $EDITOR and writes the file with elevated permissions when it is saved.

  3. Set server_tokens to off in the global http context. 
    http {
    server_tokens off;
    ##### snipped #####
}

    Prefer the global http block when the goal is to suppress version strings everywhere, because early errors can use the default server before a name-based virtual host is selected.

    A more specific server or location block can override the http value later in the active configuration.

  4. Search the active configuration tree for additional server_tokens directives that could override the intended setting. 
    $ sudo grep --recursive --line-number --extended-regexp '^[[:space:]]*server_tokens' /etc/nginx
/etc/nginx/nginx.conf:17:    server_tokens off;

    If the same directive appears in multiple loaded files, Nginx uses the most specific matching context for the response it serves.

  5. Test the configuration for syntax errors before reloading it. 
    $ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

    Related: How to test Nginx configuration

  6. Reload Nginx to apply the updated configuration. 
    $ sudo systemctl reload nginx

    Use sudo nginx -s reload on hosts where systemd is not managing the service.

    Related: How to manage the Nginx service

  7. Confirm that the Server header no longer exposes a version suffix on a normal response. 
    $ curl -I -sS http://127.0.0.1/
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 4
Connection: keep-alive

    Query the public hostname or add the expected Host header when 127.0.0.1 does not reach the same virtual host that clients use.

  8. Confirm that a server-generated error response also omits the version suffix. 
    $ curl -I -sS http://127.0.0.1/missing
HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

    A custom error_page can change the body content, but the Nginx-generated response header should still drop the version when the effective server_tokens setting is off.