Hide all version and powered by headers by default in nginx config
Disable passenger version: https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html#_passenger_show_version_in_header_lt_on_off_gt
Remove X-powered-by headers:
http://wiki.nginx.org/HttpHeadersMoreModule#more_clear_headers
At a minimum, dont send version info, but ideally dont leak anything that limits/narrows an attack surface (telling people you use nginx/passenger, etc).
-
Simon B. commented
# diff `passenger-config about resourcesdir`/templates/standalone/config.erb /etc/secretive.config.erb
http {
server_tokens off;
passenger_show_version_in_header off;
}# Then:
# passenger start --nginx-config-template secretive.config.erb -
Ryan Northrup commented
At the very least, even having the HTTP Headers More module preinstalled (instead of requiring those wishing to use it to rebuild nginx from source and manually manage it for every single server) would be a step in the right direction.