I'm working on a Flask app that uses gunicorn and nginx and should hide its server header, so I managed to do it only for the homepage, like this:
gunicorn.conf.py
import gunicorn
gunicorn.SERVER = '.'
nginx.conf
events {
worker_connections 1024;
}
http{
include /etc/nginx/mime.types;
# include /etc/nginx/conf.d/*.conf;
server{
#server_tokens off;
proxy_pass_header Server; # get server from gunicorn
# let the browsers know that we only accept HTTPS
add_header Strict-Transport-Security max-age=2592000;
listen 80;
add_header Content-Security-Policy $CSPheader;
gzip on;
location / {
proxy_pass http://127.0.0.1:5000
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 5M;
}
location /static/ {
alias /home/app/static/;
proxy_set_header Cookie $http_cookie;
add_header X-Content-Type-Options nosniff;
}
}
}
So, in my "/" page I'm getting
But elsewhere I'm displaying my server:
I'm not sure about how communication between nginx and gunicorn works, but I seem to be having a similar problem to this post, but I'm not sure how to use this information.
Any help to actually hide my server header would be really appreciated. Thanks!
