Remove PHP X-Powered-By & Nginx Version

For some website’s security reason, we need remove X-Powered-By and NGINX Version from response headers.


To remove X-Powered-By completely, search line in php.ini.

expose_php = Off

or add the following directive to the Nginx configuration:

# Prevent version info leakage
fastcgi_hide_header X-Powered-By;


To remove Server Version from Header, server_tokens should be disabled in nginx.conf.

server_tokens off;

Change server string by recompiling Nginx source:

vim +49 src/http/ngx_http_header_filter_module.c

Find the lines:

static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;

see also: Customize Your Nginx Server Name After Compiling From Source