Back to Linter
Warningsecurity

Server Tokens Visible

Why you should disable server_tokens in Nginx to hide your server version.

What This Rule Checks

This rule checks whether the `server_tokens` directive is set to `off`. When enabled (the default), Nginx exposes its version number in response headers and error pages.

Why It Matters

Exposing your Nginx version reveals information attackers can use to find known vulnerabilities specific to that version. This is a common finding in security audits and penetration tests.

Bad — Triggers this rule

server {
    listen 80;
    server_name example.com;
    # server_tokens is "on" by default — version exposed
}

Good — Passes this rule

server {
    listen 80;
    server_name example.com;
    server_tokens off;
}

How to Fix

Add `server_tokens off;` to your `http`, `server`, or `location` block. The `http` block is recommended so it applies globally.

Related Rules

security-headers-missingsecurity-ssl-missing

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →