NGINX must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278395	SRG-APP-000266	NGNX-APP-001070	SV-278395r1172748_rule	2026-01-07	1

Description
Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake such as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

Description

Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake such as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

ℹ️ Check
Determine the path to NGINX config file(s): # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify that the "server_tokens" directive is present, is not set to "on", and is not set to a custom string that identifies version information. nginx -c <path to nginx config> -qT \| grep server_tokens server_tokens off; If the "server_tokens" directive is missing, this is a finding. If the "server_tokens" directive is set to "on", this is a finding. If the "server_tokens" directive includes the version number, this is a finding.

ℹ️ Check

Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify that the "server_tokens" directive is present, is not set to "on", and is not set to a custom string that identifies version information. nginx -c <path to nginx config> -qT | grep server_tokens server_tokens off; If the "server_tokens" directive is missing, this is a finding. If the "server_tokens" directive is set to "on", this is a finding. If the "server_tokens" directive includes the version number, this is a finding.

✔️ Fix
Determine the path to NGINX config file(s): # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Add or modify the "server_tokens" directive to set to "off" or set to a custom string without the version information. http { server_tokens off; ... } Restart nginx after modifying the configuration: # nginx -s reload

✔️ Fix

Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Add or modify the "server_tokens" directive to set to "off" or set to a custom string without the version information. http { server_tokens off; ... } Restart nginx after modifying the configuration: # nginx -s reload