Hide Nginx & PHP versions in HTTP Header & Error Pages

If you had followed my guide to install the LEMP stack then, by default Nginx configuration sends HTTP header with the information of Nginx and PHP version number of the server. This would provide hackers from using version-specific security breaches to attack your web servers. This tutorial will explain how to hide Nginx & PHP versions in HTTP header and error pages.

Here is how it looks like:

$curl -I http://localhost.local
 HTTP/1.1 200 OK
 Server: nginx/1.12.2
 Date: Mon, 27 Nov 2017 12:22:36 GMT
 Content-Type: text/html; charset=UTF-8
 Connection: keep-alive
 Vary: Accept-Encoding
 X-Powered-By: PHP/7.1.11

Let’s look at how to hide the Nginx & PHP versions in LEMP stack:

How to hide Nginx & PHP versions

Step 1: Open your Nginx server configuration file /etc/nginx/nginx.conf (it’s the default path, however it might change based on your installation) and add server_tokens off; in the http section as shown below:

#vim /etc/nginx/nginx.conf

http {
   #Hide nginx version
   server_tokens off;
}

Step 2: Open the file /etc/nginx/fastcgi_params

#vim /etc/nginx/fastcgi_params

Replace the line:

fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

With:

fastcgi_param  SERVER_SOFTWARE    nginx;

How to hide PHP version number:

Open the file /etc/php.ini and add expose_php = Off. This will disable the PHP header information.This step removes the PHP header information everywhere.

#vim /etc/php.ini

expose_php = Off

How to restart PHP-FPM and Nginx services on CentOS7

#systemctl restart php-fpm

#systemctl restart nginx

How to view your web-server header information

Verify your modifications:

$curl -I http://localhost.local
 HTTP/1.1 200 OK
 Server: nginx
 Date: Mon, 27 Nov 2017 12:53:47 GMT
 Content-Type: text/html; charset=UTF-8
 Connection: keep-alive
 Vary: Accept-Encoding

You may notice that, version info of Nginx and PHP are no longer visible!