How to disable server_tokens in Nginx

Disabling server_tokens reduces passive information leakage by hiding the Nginx version in HTTP responses and generated error pages, which makes automated vulnerability matching less direct. The setting does not replace patching or hardening, but it removes an unnecessary fingerprint from every request.

In Nginx, the server_tokens directive controls whether the Server header includes a version suffix (for example, nginx/1.24.0) and whether default error pages display version details. The directive can be set in the http, server, or location context, and the most specific matching context takes precedence when multiple values exist.

The change can be applied globally for all virtual hosts by placing server_tokens off; in the http block, but configuration include order can accidentally re-enable it elsewhere. server_tokens hides version details while still leaving an nginx identifier unless the Server header is rewritten separately, and upstream proxies or CDNs can also override headers at the edge. A configuration test before reload prevents a failed reload and avoids leaving the service in an unexpected state.

Steps to disable server_tokens in Nginx:

Open the main Nginx configuration file for editing.
```
$ sudoedit /etc/nginx/nginx.conf
```
On split-configuration layouts, set server_tokens in a file included from the http block (commonly /etc/nginx/conf.d/ or /etc/nginx/sites-enabled/).

Set server_tokens to off inside the http block.

http {
    server_tokens off;
    ##### snipped #####
}

Search the active configuration tree for additional server_tokens directives that could override the intended setting.

$ sudo grep --recursive --line-number --extended-regexp '^[[:space:]]*server_tokens' /etc/nginx
/etc/nginx/nginx.conf:12:    server_tokens off;

Test the configuration for syntax errors.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload Nginx to apply the change.
```
$ sudo systemctl reload nginx
```
A reload applies configuration changes without dropping established connections.
Verify the Server header no longer includes a version string.
```
$ curl --head http://127.0.0.1/ | grep -i '^server:'
Server: nginx
```
If a reverse proxy or CDN rewrites the Server header, run the same check against the public hostname instead of 127.0.0.1.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.