1. Home
  2. Web Server
  3. Hide Nginx & PHP versions in HTTP Header & Error Pages

Hide Nginx & PHP versions in HTTP Header & Error Pages

If you had followed my guide to install the LEMP stack then, by default Nginx configuration sends HTTP header with the information of Nginx and PHP version number of the server. This would provide hackers from using version-specific security breaches to attack your web servers. This tutorial will explain how to hide Nginx & PHP versions in HTTP header and error pages.

Here is how it looks like:

$curl -I http://localhost.local
 HTTP/1.1 200 OK
 Server: nginx/1.12.2
 Date: Mon, 27 Nov 2017 12:22:36 GMT
 Content-Type: text/html; charset=UTF-8
 Connection: keep-alive
 Vary: Accept-Encoding
 X-Powered-By: PHP/7.1.11

Let’s look at how to hide the Nginx & PHP versions in LEMP stack:

How to hide Nginx & PHP versions

Step 1: Open your Nginx server configuration file /etc/nginx/nginx.conf (it’s the default path, however it might change based on your installation)¬†and add server_tokens off; in the http section as shown below:

#vim /etc/nginx/nginx.conf
http {
   #Hide nginx version
   server_tokens off;
}
How to find the Nginx config file

Run the command nginx -t, which provides you the configuration file path:
Sample Output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Step 2: Open the file /etc/nginx/fastcgi_params

#vim /etc/nginx/fastcgi_params

Replace the line:

fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

With:

fastcgi_param  SERVER_SOFTWARE    nginx;

How to hide PHP version number:

Open the file /etc/php.ini and add expose_php = Off. This will disable the PHP header information.This step removes the PHP header information everywhere.

#vim /etc/php.ini
expose_php = Off
How to find the php.ini file

Run the command php -i | grep php.ini, which provides you the configuration file path:
Sample Output:
Configuration File (php.ini) Path => /etc
Loaded Configuration File => /etc/php.ini

How to restart PHP-FPM and Nginx services on CentOS7

#systemctl restart php-fpm

#systemctl restart nginx

How to view your web-server header information

Verify your modifications:

$curl -I http://localhost.local
 HTTP/1.1 200 OK
 Server: nginx
 Date: Mon, 27 Nov 2017 12:53:47 GMT
 Content-Type: text/html; charset=UTF-8
 Connection: keep-alive
 Vary: Accept-Encoding

You may notice that, version info of Nginx and PHP are no longer visible!

Updated on November 27, 2017

Was this article helpful?

Related Articles

Leave a Comment