Details
The server and x-powered-by header may specify the underlying technology used by an application. The NGINX reverse proxy may pass these headers if not explicitly directed to remove them.
Rationale:
Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Removing these headers will reduce the likelihood of targeted attacks.
Solution
Implement the below directives as part of your location block. Edit ‘/etc/nginx/nginx.conf’ and add the following:
location /docs {
….
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
….
}
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.