Home / server / Questions / 696551
Accepted
jamboNum5
Asked: 2015-06-05 01:06:22 +0800 CST

How do I check server tokens are off?

  • 772

We had feedback from our pentest report saying we should turn off server tokens. This is stop people being able to see which version of PHP we are using, and limit their ability to target the specific PHP version.

I have added the following to nginx.conf, under the http block:

server_tokens off;

But what tools can I use to check this change has taken affect?

nginx

4 Answers

  1. From the manual you know what the setting does:

    Syntax: server_tokens on | off;
    Default: server_tokens on;
    Context: http, server, location

    Enables or disables emitting nginx version in error messages and in the “Server” response header field.

    So your options are:

    • generate an error message, for instance if you don't have a custom 404 error message simply request a non-existing page and in the footer you won't see the version information nginx/1.2.3 any more.
    • inspect the server headers and confirm that the version is no longer displayed.

    A simple check to see the HTTP response headers is to manually connect i.e. with: telnet www.example.com 80 where the client lines are what you enter:

    client: HEAD / HTTP/1.1
    client: Host: www.example.com

    server: HTTP/1.1 200 OK
    server: Date: Wed, 1 Jan 1970 22:13:05 GMT
    server: Server: Nginx/1.2.3
    server: Connection: close
    server: Content-Type: text/html

    • 17
  2. Best Answer

    After a bit more googling, I have found curl command can check the server headers which shows both server tokens and php versions:

    curl -I -L www.example.com

    Thanks to Alexey for pointing out the change needed in PHP.

    HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 04 Jun 2015 10:49:35 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.example.com

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Jun 2015 10:49:36 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 04 Jun 2015 10:49:35 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1433414975"
Content-Language: en
    • 7

  3. Also, if you serve PHP projects, you may need to change in /etc/nginx/{fastcgi,fastcgi_params).conf 

    fastcgi_param  SERVER_SOFTWARE    nginx;
    • 3

  4. Take a look at InSpec, a tool that allows you "turn your compliance, security, and other policy requirements into automated tests."

    https://www.inspec.io

    It can do all the configuration testing that you need for your Nginx server. Here's one way to test for the existence of the conf file and the value of server_tokens:

    conf_path = '/etc/nginx/nginx.conf'

control 'Server tokens should be off' do
  describe file(conf_path) do
    it 'The config file should exist and be a file.' do
      expect(subject).to(exist)
      expect(subject).to(be_file)
    end
  end
  if (File.exist?(conf_path))
    Array(nginx_conf(conf_path).params['http']).each do |http|
      describe "http:" do
        it 'server_tokens should be off if found in the http context.' do
          Array(http["server_tokens"]).each do |tokens|
            expect(tokens).to(cmp 'off')
          end
        end
      end
    end
  end
end

    If set correctly, InSpec returns:

      ✔  Server tokens should be off: File /etc/nginx/nginx.conf
     ✔  File /etc/nginx/nginx.conf The config file should exist and be a file.
     ✔  http: server_tokens should be off if found in the http context.

    If not:

      ×  Server tokens should be off: File /etc/nginx/nginx.conf (1 failed)
     ✔  File /etc/nginx/nginx.conf The config file should exist and be a file.
     ×  http: server_tokens should be off if found in the http context.

     expected: "off"
          got: ["on"]

     (compared using `cmp` matcher)
    • 0