When running a website, security should always be one of your top priorities. One simple yet effective security measure is customising your web server headers. By default, Nginx displays its name and version in the server header, potentially exposing valuable information to attackers. In this comprehensive guide, we’ll explore how to customise Nginx server headers for better security without recompiling your web server, using the headers-more module. This technique helps protect your website by hiding sensitive server information and enhancing your overall security posture.

Why Customise Your Nginx Server Headers?

When you browse a website, the web server returns response headers that contain various pieces of information. By default, Nginx reveals its name and version in the “Server” header, which might look something like this:

Server: nginx/1.10.0

This information disclosure creates several security concerns:

• Version fingerprinting: Attackers can identify your specific Nginx version and target known vulnerabilities
• Server identification: The header reveals you’re using Nginx, which narrows down the attack surface for malicious actors
• Unnecessary exposure: There’s no practical benefit to revealing this technical information to regular visitors

By customising or removing these headers, you can implement an important security practice known as “security through obscurity” as one layer of your defence strategy.

Prerequisites

Before getting started, ensure you have:

• A server running Debian or Ubuntu Linux
• Root access to your server
• Basic knowledge of command-line operations
• Nginx already installed (or you’ll install it during this tutorial)

Step-by-Step Guide to Customising Nginx Headers

1. Install Nginx (If Not Already Installed)

If you don’t already have Nginx installed, you can install it using your package manager:

apt-get update
apt-get install nginx

2. Install the Nginx-Extras Package

The nginx-extras package contains the headers-more module along with several other useful modules. Install it using:

apt-get install nginx-extras

This installation provides the functionality we need without having to compile Nginx from source.

3. Configure Nginx to Hide or Customise Server Headers

Open your main Nginx configuration file:

nano /etc/nginx/nginx.conf

There are several approaches you can take to modify your server headers, depending on your security requirements:

Option 1: Remove Version Information Only

To keep the “nginx” name but hide the version number, add this line inside the http block:

http {
    server_tokens off;
    
    # Other existing configuration...
}

Option 2: Completely Remove the Server Header

To remove the Server header completely, add this inside the http block:

http {
    more_clear_headers Server;
    
    # Other existing configuration...
}

Option 3: Set a Custom Server Name

To replace the default server name with your own custom name:

http {
    more_set_headers "Server: My Custom Server";
    
    # Other existing configuration...
}

Option 4: Remove Multiple Headers for Enhanced Privacy

For even more privacy, you can remove additional headers:

http {
    more_clear_headers Server;
    more_clear_headers Content-Type;
    more_clear_headers Accept-Ranges;
    more_clear_headers Content-Length;
    
    # Other existing configuration...
}

4. Test Your Configuration

Before restarting Nginx, verify that your configuration syntax is correct:

nginx -t

If successful, you should see:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

5. Restart Nginx to Apply Changes

Restart the Nginx service to apply your changes:

service nginx restart

Or, on systems using systemd:

systemctl restart nginx

6. Verify Your Changes

You can verify your header changes using the curl command:

curl -I your-website.com

This will display the headers returned by your server, allowing you to confirm that your customisations were applied successfully.

Testing Different Header Configurations

Let’s examine how different configurations affect your server headers:

Default Headers (No Customisation)

HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Mon, 13 May 2025 03:22:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

After Applying server_tokens off

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 May 2025 03:26:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

After Removing Server Header

HTTP/1.1 200 OK
Date: Mon, 13 May 2025 03:34:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

After Removing Multiple Headers

HTTP/1.1 200 OK
Date: Mon, 13 May 2025 03:38:28 GMT
Connection: keep-alive

After Setting Custom Server Name

HTTP/1.1 200 OK
Date: Mon, 13 May 2025 03:45:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: My Custom Server

Best Practices for Header Security

When customising your Nginx headers, consider these best practices:

1. Minimise information disclosure: Only reveal what’s absolutely necessary
2. Use generic server names if you choose to customise the Server header
3. Implement additional security headers like Content-Security-Policy and X-XSS-Protection
4. Regularly test your headers using online security scanning tools
5. Keep Nginx updated to protect against known vulnerabilities

Common Issues and Troubleshooting

If you encounter issues when customising your headers, check the following:

• Ensure the nginx-extras package is properly installed
• Verify your syntax in the nginx.conf file
• Check for conflicting directives in other configuration files
• Examine Nginx error logs for specific error messages
• Confirm that the headers-more module is loaded correctly

Conclusion

Customising your Nginx server headers is a simple yet effective security measure that helps protect your website from potential attackers. By hiding or modifying server information, you reduce your attack surface and make it more difficult for malicious actors to identify vulnerabilities in your system. Combined with other security practices like regular updates, proper access controls, and security headers, customising your server headers contributes to a more robust security posture for your website.

Whether you choose to completely remove headers, set custom values, or simply hide version information, the headers-more module provides a flexible solution without requiring you to recompile Nginx. Start implementing these changes today to enhance your website’s security and protect your valuable data.