如何在Rails中隐藏/停止HTTP / 1.1中的服务器版本OK [nginx / 1.0.6 + Phusion Passenger 3.0.9]

Question

Hi in my rails application I am using nginx/1.0.6 , Phusion Passenger to host my rails application. But for the security issue I want to stop the display of headers on public network. Now when I run the following curl command. `

curl -I http://domain.name

it give me the following trace:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.9
ETag: "b7da2b7b2fa6349"
X-UA-Compatible: IE=Edge,chrome=1
X-Runtime: 1.193656
Set-Cookie: demand_session=BAh7ByIQX2NzcmZfdG9rZW4iMUVMREdHRDJGcHhnVzhWNTNsRGhGSWRyNmRQbWZZSnpyZGcwbFYx3D%3D--eb470df0951aac0e6612861ef30ed7a699d073a0; path=/; HttpOnly
Cache-Control: max-age=0, private, must-revalidate
Server: nginx/1.0.6 + Phusion Passenger 3.0.9 (mod_rails/mod_rack)

But I want to hide these headers: Server,Set-Cookie,X-Powered-By,X-UA-Compatible,ETag,Cache-ControlCache-Control to be display.

Answer 1

If you are using proxy you can use and configure directive proxy_hide_header from proxy module by that:

proxy_hide_header X-Powered-By;
proxy_hide_header X-UA-Compatible;
proxy_hide_header X-Runtime;
proxy_hide_header ETag;

# and so on...

But this directive allow you only to hide headers coming from proxy server. For response headers coming from main server not proxy you can use directive set and variable $sent_http_HEADER where HEADER means header name you would like to set. Here an example:

set $sent_http_x_powered_by your_value;
set $sent_http_etag your_value;
set $sent_http_cache_control your_value;

# and so on...

But take in consideration two things: 1. Set directive works only in server , location and if blocks, 2. As you can read in comments to your question it's not realy good idea to hide or change some headers like Cache-Control because they aren't only information but have impact on browser and user clients work.

Answer 2

禁用passenger_show_version_in_header和禁用server_tokens 。