How do I check server tokens are off?

Solution 1:

From the manual you know what the setting does:

Syntax: server_tokens on | off;
Default: server_tokens on;
Context: http, server, location

Enables or disables emitting nginx version in error messages and in the “Server” response header field.

So your options are:

  • generate an error message, for instance if you don't have a custom 404 error message simply request a non-existing page and in the footer you won't see the version information nginx/1.2.3 any more.
  • inspect the server headers and confirm that the version is no longer displayed.

A simple check to see the HTTP response headers is to manually connect i.e. with: telnet www.example.com 80 where the client lines are what you enter:

client: HEAD / HTTP/1.1
client: Host: www.example.com

server: HTTP/1.1 200 OK
server: Date: Wed, 1 Jan 1970 22:13:05 GMT
server: Server: Nginx/1.2.3
server: Connection: close
server: Content-Type: text/html

Solution 2:

After a bit more googling, I have found curl command can check the server headers which shows both server tokens and php versions:

curl -I -L www.example.com

Thanks to Alexey for pointing out the change needed in PHP.

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 04 Jun 2015 10:49:35 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.example.com

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Jun 2015 10:49:36 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 04 Jun 2015 10:49:35 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1433414975"
Content-Language: en

Solution 3:

Also, if you serve PHP projects, you may need to change in /etc/nginx/{fastcgi,fastcgi_params).conf

fastcgi_param  SERVER_SOFTWARE    nginx;