How to disable server_tokens in nginx.conf

Hide the Nginx version number from HTTP response headers and error pages by disabling the server_tokens directive in nginx.conf.

Prerequisites
Step-by-Step: Disable server_tokens in nginx.conf
How to Verify server_tokens Is Disabled
Common Issues When Disabling server_tokens

Hide the Nginx web server version number from HTTP response headers and error pages by setting server_tokens off in nginx.conf.

Prerequisites

Root or sudo access to the server running Nginx.
SSH access to edit the nginx.conf configuration file.

Step-by-Step: Disable server_tokens in nginx.conf

Open the nginx.conf configuration file. The file resides at /etc/nginx/nginx.conf on most Linux distributions.

sudo vi /etc/nginx/nginx.conf

Add the server_tokens off; directive inside the http { } block to apply the setting globally across all server blocks. Nginx displays its version number in the Server response header and on default error pages by default. Disabling server_tokens prevents attackers from identifying the exact Nginx version and targeting known vulnerabilities.

http {
    server_tokens off;

    # other directives
}

Nginx also accepts server_tokens off; inside individual server { } or location { } blocks to disable version disclosure for specific virtual hosts or URL paths.

Test the nginx.conf configuration for syntax errors.

sudo nginx -t

Reload Nginx to apply the change.

sudo systemctl reload nginx

How to Verify server_tokens Is Disabled

Nginx stops including the version number in the Server response header after the directive takes effect. Use curl to inspect the response headers:

curl -I https://example.com/

The Server header should show nginx without a version number. Before disabling server_tokens, the header displays nginx/1.x.x. After disabling, it displays nginx.

Common Issues When Disabling server_tokens

The Server header still shows "nginx".The server_tokens off directive removes the version number but does not remove the Server: nginx header entirely. Removing the header completely requires the ngx_http_headers_more_module and the directive more_clear_headers Server;. This module is not included in the default Nginx package and must be compiled separately or installed from a third-party repository.

Directive in the wrong context.A server_tokens on; directive in a child server block overrides the global server_tokens off; in the http block. Check all server blocks for conflicting values.