Libera-Chat/libera-chat.github.io

[SECURITY] Nginx version is showing

melroy89 opened this issue · 6 comments

When I got to: https://web.libera.chat/checkyourversion

I can see your Nginx version (=1.18.0). This is a security thread.

Please, try to disable powered by message and disable the server tokens, so you don't see the nginx version:

server_tokens off;
fastcgi_hide_header X-Powered-By;

Regards,
Melroy

Showing the version is only a security issue if we don't install security updates. If it were vulnerable to a known exploit and a fix would be available by updating, hiding the nginx version does not fix that vulnerability.

True, but it's still not wise to show the version. Because of zero-day vulnerability.

But well, you don't need to listen to me.

The very definition of a zero-day vulnerability is one in which there is no software update from the vendor for. I'm not sure what that has to do with whether the version is shown or not; by definition, all versions are vulnerable.

Because I can see whether or not you applied the patch already on a zero-day vulnerability.

Well I mean, if you can't see the version you'll just try the exploit anyways and find out that way if we patched it or not.

Security by obscurity doesn't actually make anything secure

That is also true. But you make it easier. That's it.

Should I close the issue? Since it seems that you don't want to change the nginx settings.