Sling Academy
Home/DevOps/NGINX: How to Overwrite the Server Response Header

NGINX: How to Overwrite the Server Response Header

Last updated: January 20, 2024

Introduction

Working with server response headers is essential for web developers and system admins who want to optimize their web applications’ security, performance, and compliance. One of the common web servers used today is NGINX due to its high performance and versatility. In this tutorial, you’ll learn how to overwrite server response headers using NGINX. This is crucial for hiding server information, setting security policies, or complying with CORS requirements.

This tutorial assumes that you have a working NGINX server and basic understanding of its configuration file structure.

Setting Up Your NGINX Environment

Before we jump into modifying response headers, let’s make sure your NGINX is up and running. Install NGINX using your system’s package manager if it’s not already installed:

sudo apt update
sudo apt install nginx

Once installed, start NGINX with:

sudo systemctl start nginx

Verify it’s running by visiting http://localhost/ or http://your_server_ip/ in your web browser.

Basic Header Modification

NGINX allows for modification of response headers using the add_header directive. Here’s a simple example:

server {
    listen 80;
    server_name example.com;
 
    location / {
        add_header X-My-Custom-Header "My Value";
    }
}

This configuration will add a header X-My-Custom-Header with the value My Value to the response of any request matching the location block.

Overwriting Server Headers

NGINX does not readily expose a directive to overwrite an existing header. However, you can use the map block to map any value to the server_tokens and then use that value in the server value of the add_header directive, achieving an overwrite effect.

http {
    map $sent_http_server $server_header {
        default "";
        ~^nginx "/My_Custom_Server";
    }
 
    server {
        listen 80;
        server_name example.com;
 
        location / {
            add_header Server $server_header;
        }
    }
}

In the code above, we’re setting an empty default value for the Server header, and if the Server header value begins with “nginx”, we change it to “/My_Custom_Server”. This configuration works to “overwrite” the Server header.

Advanced Header Manipulation with more_set_headers

For more complex header manipulation tasks, consider using the headers-more-nginx-module. The module provides directives such as more_set_headers and more_clear_headers that can set and clear headers more explicitly than the built-in directives.

# Installation instructions for the headers-more-nginx-module ...

Once you have the `headers-more-nginx-module` installed, use it as follows:

server {
    listen 80;
    server_name example.com;
 
    location / {
        more_set_headers 'Server: My_Custom_Server';
        # other headers ...
    }
}

This configuration will unconditionally set the Server header to “My_Custom_Server”.

Security Considerations

Overwriting the Server header can have security implications. It is often done to mask the server’s identity and version to make it more difficult for attackers to exploit known vulnerabilities. Additionally, ensure that you do not inadvertently unset headers that are required for your application’s security, like the Content-Security-Policy or Strict-Transport-Security. Always test your configurations before deploying to production.

CORS Example

Handling Cross-Origin Resource Sharing (CORS) is another scenario where modifying headers can be important.

server {
    listen 80;
    server_name api.example.com;
 
    location / {
        if ($http_origin ~* (example.com|another-example.com)) {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
            add_header 'Access-Control-Allow-Credentials' 'true';
        }
    }
}

In this configuration, we are conditionally adding CORS headers if the request originates from either example.com or another-example.com.

Troubleshooting

NGINX configuration issues can often lead to unexpected behavior when setting or overwriting headers. Use the nginx -t command to test your configurations:

sudo nginx -t

If NGINX returns any errors, it will often point you directly to the line number and the issue within your configuration file.

Conclusion

Modifying response headers in NGINX allows developers and administrators to control aspects of security, compliance, and web application behavior. While NGINX does not offer a straightforward overwrite header directive, using map and additional modules such as `headers-more-nginx-module`, you can manipulate response headers effectively. Always remember to test your configuration and understand the implications of the changes you make.

Next Article: NGINX Error: 502 Bad Gateway – Causes and Solutions

Previous Article: Using multiple location blocks in NGINX with different root directives

Series: NGINX Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide