- OS: Ubuntu 11.04
- HTTP Server: nginx 1.2.1
- compiled with the HttpHeadersMore module
- processing PHP via php-fastcgi
- (other irrelevant software – ruby, python, etc)
I’m trying to completely mask the software which serves the pages (partly security, mostly because it’s fun), I’ve managed to change the server name and remove the
X-Powered-By header which php-fastcgi adds, but I’m having trouble removing three headers:
Client-Date: Thu, 14 Jun 2012 20:32:34 GMT Client-Peer: 220.127.116.11:80 Client-Response-Num: 1
I have used
more_clear_headers from the HttpHeadersMore module but that has no effect, despite being able to remove the
This is in my
more_set_headers "Server: Tesco Value"; more_clear_headers "X-Powered-By"; more_clear_headers "Client-*"; more_clear_headers "Client-Date"; more_clear_headers "Client-Response-Num"; more_clear_headers "Client-Peer"; more_clear_headers "X-Pingback"; add_header X-Required-Volume-Setting 11; add_header X-Required-Speed 88mph; # NEW: added in thanks to the answer from @kworr - but still doesn't work fastcgi_hide_header "Client-Date"; fastcgi_hide_header "Client-Response-Num"; fastcgi_hide_header "Client-Peer";
If you run
HEAD slightlymore.co.uk you’ll see that neither explicit nor wildcard rules get rid of the header. I’m guessing that these headers are set after the
output-header-filter phase – but I’d like to know if anyone has any more information on this, and especially if anyone has a solution.
@kworr suggested that fastcgi_hide_header might be what I’m looking for – but still doesn’t work. Perhaps it’s just my system?
Those headers were not present in the HTTP response at all. Neither nginx nor php-fpm ever sent them, so trying to block them is pointless.
They are synthetic response headers added to the response by your user agent, libwww-perl.
If you don’t wish to see them, make HTTP requests with some other library, such as libcurl.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.