HTTP header manipulation - Nuno Magalhães - ru.sysoev.nginx

4 messages in ru.sysoev.nginxHTTP header manipulation

From	Sent On	Attachments
Nuno Magalhães	Feb 20, 2009 2:17 pm
Maxim Dounin	Feb 20, 2009 4:12 pm
Nuno Magalhães	Feb 20, 2009 4:48 pm
Merlin	Feb 23, 2009 6:44 pm

	Permalink for this message Paste this link in email or IM:
	Permalink for this thread Paste this link in email or IM:
	Atom feed for this thread Paste this URL into your reader:

Subject:	HTTP header manipulation	Actions...
From:	Nuno Magalhães (nuno...@eu.ipp.pt)
Date:	Feb 20, 2009 2:17:18 pm
List:	ru.sysoev.nginx

I thought i'd use a different thread instead of stealing Paul's...

HTTP-header manipulation is another type of exploit which does relate to the webserver. On that, how can i prevent nginx from sending the server name? I.e., given this:

[...] GET / HTTP/1.1 Host: localhost Accept: text/html

HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Feb 2009 22:08:31 GMT Content-Type: text/html; charset=utf8 Transfer-Encoding: chunked Connection: keep-alive

I'd like to remove or spoof that "Server .." line. I've done these changes on my files:

/etc/nginx/nginx.conf [...] http { [...] server_tokens off; [...]

/etc/nginx/fastcgi_params [...] fastcgi_param SERVER_SOFTWARE apache; #or whatever string fastcgi_param SERVER_NAME again... some string here;

I'm also fiddling with error pages so they present my error pages, which also includes "msie_padding on;" in .conf but this is its default setting anyway.

However, the server name does still go out in the respose header. Am i missing something in the config? Do i have to reboot/reHUP the server again? Have to use PHP or something to filter the headers?

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets
	Permalink to these results Paste this link in email or IM:
	Atom feed for tracking future search results Paste this URL into your reader: