Hide server tokens

[jonhadfield]

Both app and sync.standardnotes.org reveal software versions in the http response server headers
app: nginx/1.10.3 + Phusion Passenger 5.1.4
sync: nginx/1.10.3

Including this configuration (see here) is recommended to avoid revealing versions:
server_tokens off;

[moughxyz]

Good point. Do you see any other rationale besides the fact that a would-be attacker can determine what vulnerabilities your server has based on your nginx version?

I've made this update to our Listed server as a preliminary test to make sure it doesn't throw anything off. Will update main servers after that.

[jonhadfield]

It's mainly to reduce information leakage for the reason you suggested.

Depending on how you read the advice from Apache httpd docs: https://httpd.apache.org/docs/current/mod/core.html#servertokens, it may seem ineffective or even a bad idea!? I strongly disagree with their statement regarding security regarding tokens on that page, as would Qualys, OWASP, and plenty of other security auditing software.

Regardless, if you don't need it for your own debugging purposes then I don't see the benefit of sending extra, redundant, bytes in every response.

[moughxyz]

Interesting (and very direct) note by Apache. Will have to consider this one more.

[jonhadfield]

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems.

Could also be read as "if you're not trying to debug, then it doesn't hurt to."

"Also note that disabling the Server: header does nothing at all to make your server more secure."

That's true in the sense that hiding tokens does not itself prevent someone exploiting a vulnerability. It definitely does make it more difficult for an attacker to determine the version and that may assist them in finding a vulnerability to exploit.

The idea of "security through obscurity" is a myth and leads to a false sense of safety.

I'd argue that's a truism. At the same time though, I'm not sure anyone would say revealing more information about your system than necessary is good security.

Just my $0.02.