nginx-proxy
Headers more filter module
Background
By default nginx expose its name in the response header as server: nginx. Knowing type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. Server Banners Exposed may be considered a vulnerability with low severity. However depending of level of required compliance, It can a reason of compliance rejection.
Severity Evaluation
Based on the National Vulnerabilities Database (NDV), the vulnerability severity ratings of CVSS v3.0 can be summarized as showed below: CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3 Base Score: 3.7 Severity: Low (0.1 - 3.9)
Reference CWE-200: Information Exposure https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework Enel IT Security Guidelines - APPLICATIONS (Guideline no. 7, Version no. 2, dated 30/09/2017): paragraph 2.6. Control #32: Coding, Subparagraph 2.6.1 – Baseline
Remediation
Remove or modify the banners included into the responses in order to do not provide any information about technologies. Since server_tokens off is not enough to remove the banner server: nginx. Compiling headers more filter module and adding to the image is a choice to allow easily to hide server header or simply to remove it as the example below:
RUN { \
echo 'server_tokens off;'; \
echo 'more_clear_headers Server;'; \
} > /etc/nginx/conf.d/server_banner.conf
