Rule ID
SV-278395r1172748_rule
Version
V1R1
CCIs
Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake such as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.
Determine the path to NGINX config file(s):
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Verify that the "server_tokens" directive is present, is not set to "on", and is not set to a custom string that identifies version information.
nginx -c <path to nginx config> -qT | grep server_tokens
server_tokens off;
If the "server_tokens" directive is missing, this is a finding.
If the "server_tokens" directive is set to "on", this is a finding.
If the "server_tokens" directive includes the version number, this is a finding.Determine the path to NGINX config file(s):
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Add or modify the "server_tokens" directive to set to "off" or set to a custom string without the version information.
http {
server_tokens off;
...
}
Restart nginx after modifying the configuration:
# nginx -s reload