Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Remove all headers from nginx web server (with cloudflare)

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by negative, Nov 10, 2018.

  1. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    5:47 PM
    1.9.10
    10.1.11
    How to remove all header responses from nginx web server like centminmod forums? Btw, i'm using cloudflare so it puts some headers too. I want disable all headers. Can i override them ?

    P.S: I want it just for security measure


    Currently, example headers of my one page:
    Ekran Resmi 2018-11-10 11.44.54.png

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    1:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI this forum's headers still show x-powered-by just that browser can't show all my headers for this forum in display due to size of all headers but they are there if you check via curl header checks

    Code (Text):
    curl -I https://community.centminmod.com/
    HTTP/1.1 200 OK
    Date: Sat, 10 Nov 2018 09:11:12 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: __cfduid=d56e2105964ba6c434fc707c0356bc96b1541841072; expires=Sun, 10-Nov-19 09:11:12 GMT; path=/; domain=.centminmod.com; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-control: private, max-age=432000
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    X-Powered-By: centminmod
    Content-Security-Policy-Report-Only: Content-Security-Policy-Report-Only: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' ; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' www.google-analytics.com www.iubenda.com cdn.iubenda.com cse.google.com www.googleapis.com clients1.google.com translate.googleapis.com cdn.ampproject.org onesignal.com adservice.google.com.qa adservice.google.kz adservice.google.be adservice.google.com.bh adservice.google.lt adservice.google.ge adservice.google.co.ug adservice.google.mk adservice.google.no adservice.google.ie adservice.google.co.ve adservice.google.com.eg adservice.google.lk adservice.google.rs adservice.google.tt adservice.google.cz adservice.google.co.th adservice.google.me adservice.google.dk adservice.google.ps adservice.google.mn adservice.google.cl adservice.google.com.uy adservice.google.bj adservice.google.tn adservice.google.pt adservice.google.hu adservice.google.hn adservice.google.com.np adservice.google.com.pa adservice.google.com.au adservice.google.ca adservice.google.com adservice.google.it adservice.google.co.in adservice.google.gr adservice.google.com.sa adservice.google.com.kh adservice.google.com.py adservice.google.iq adservice.google.lv adservice.google.co.cr adservice.google.bg adservice.google.com.pe adservice.google.com.pr adservice.google.dz adservice.google.fr adservice.google.co.id adservice.google.com.my adservice.google.es adservice.google.de adservice.google.co.jp adservice.google.com.br adservice.google.co.uk adservice.google.com.hk adservice.google.com.tw adservice.google.ae adservice.google.com.sg adservice.google.ru adservice.google.com.ua adservice.google.com.mx adservice.google.nl adservice.google.com.vn adservice.google.com.ph adservice.google.fi adservice.google.co.nz adservice.google.co.kr adservice.google.pl adservice.google.com.tr adservice.google.ro adservice.google.com.pk adservice.google.ch adservice.google.at adservice.google.com.co adservice.google.co.il adservice.google.md adservice.google.co.za www.google.com adservice.google.se adservice.google.com.ar cdncache-a.akamaihd.net protectsurf-a.akamaihd.net nodeping.com www.gstatic.com ajax.cloudflare.com cdnjs.cloudflare.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com apis.google.com accounts.google.com pagead2.googlesyndication.com ssl.google-analytics.com connect.facebook.net stats.g.doubleclick.net googleads.g.doubleclick.net plus.google.com; style-src 'self' data: 'unsafe-inline' www.google.com maxcdn.bootstrapcdn.com cdn.onesignal.com onesignal.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com translate.googleapis.com; img-src 'self' data: centminmod.com csi.gstatic.com www.googleapis.com encrypted-tbn1.gstatic.com clients1.google.com www.google.com www.gstatic.com ssl.gstatic.com s-static.ak.facebook.com ssl.google-analytics.com googleads.g.doubleclick.net pagead2.googlesyndication.com stats.g.doubleclick.net www.gravatar.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com s3.amazonaws.com translate.googleapis.com onesignal.com; font-src 'self' data: cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com themes.googleusercontent.com maxcdn.bootstrapcdn.com; connect-src 'self' translate.googleapis.com stats.g.doubleclick.net www.google-analytics.com onesignal.com googleads.g.doubleclick.net csi.gstatic.com syndication.twitter.com; media-src 'self' ; object-src 'self' pagead2.googlesyndication.com; child-src 'self' twitter.com www.google.com www.youtube.com syndication.twitter.com platform.twitter.com www.youtube-nocookie.com; frame-src 'self' securepubads.g.doubleclick.net onesignal.com www.dailymotion.com player.vimeo.com www.webpagetest.org www.youtube.com nodeping.com platform.twitter.com staticxx.facebook.com www.facebook.com s-static.ak.facebook.com googleads.g.doubleclick.net web.facebook.com mozbar.moz.com www.google.com; worker-src 'self' ; form-action 'self' syndication.twitter.com; upgrade-insecure-requests; report-uri https://centminmodcom.report-uri.com/r/d/csp/reportonly;
    Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
    X-Content-Type-Options: nosniff
    Referrer-Policy: strict-origin-when-cross-origin
    Strict-Transport-Security: max-age=31536000; includeSubdomains
    Link: </styles/xenbase/font-awesome/css/font-awesome.min.css>; rel="preload" as="style"
    Link: </styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0>; rel="preload" as="font" crossorigin
    CF-Cache-Status: HIT
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 477763f19e93c1c7-IAD
    


    only x-fastcgi_cache header of yours would be removal out of the box just edit your nginx vhost to remove it's add_header directive

    for x-powered-by in Centmin Mod Nginx 123.09beta01 and newer there is additional steps to remove if you read in /usr/local/nginx/conf/nginx.conf to uncomment the 3rd & 4th lines

    Code (Text):
    # sets Centmin Mod headers via headers more nginx module
    # https://github.com/openresty/headers-more-nginx-module
    # don't remove the first 2 lines as centmin mod checks to see if they're
    # missing and re-adds them anyway. Just uncomment the 3rd & 4th lines
    # which is used to override the Server header to what you want = nginx
    # and remove the X-Powered-By header + restart nginx service
    # do not disable headers more nginx module itself as it's required for
    # other centmin mod features like redis nginx level caching & letsencrypt
    # integration in vhosts created by addons/acmetool.sh
    more_set_headers "Server: nginx centminmod";
    more_set_headers "X-Powered-By: centminmod";
    #more_set_headers "Server: nginx";
    #more_clear_headers "X-Powered-By";
    

    so it becomes
    Code (Text):
    more_set_headers "Server: nginx centminmod";
    more_set_headers "X-Powered-By: centminmod";
    more_set_headers "Server: nginx";
    more_clear_headers "X-Powered-By";
    
     
  3. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    5:47 PM
    1.9.10
    10.1.11
    Ah ok, some header checks returns empty so i guess they have been removed. So, it isn't possible remove all headers from nginx (also cloudflare who using it)

    Thanks for info
     
  4. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    11:47 PM
    Mainline
    10.2
    Because Eva is using PWA so 2nd,3rd.. request/load doesn't return headers anymore :D.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    1:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh that might be the case if you're checking via browser devtool network tab as yes this forum is using PWA service worker as well Added Forum PWA Mode For Page Speed Improvements.

    but i still see x-powered-by header here on this forum

    upload_2018-11-11_0-27-20.png
     
  6. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    11:47 PM
    Mainline
    10.2
    No header on HTTP Header Spy extension :).
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    1:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    problem is the extension - try curl header checks at https://tools.keycdn.com/curl :)