How to remove the server header from Kubernetes deployed applications

12.7k views Asked by At

I am asking this question in the style of question then answer.

If you create your Ingress objects for Helm charts or regular "kubectl apply" deployments, after deployment to your cluster, you might see the server header in your responses. This is regarded as a security concern. It should not be present.

enter image description here

You might not have control of your cluster or Ingress Controllers. How can you remove the header in question?

2

There are 2 answers

0
Ian Robertson On BEST ANSWER

You might not have control of your cluster or Ingress Controllers, but you do have control of your Ingress manifests.

In each of your Ingress manifest files (maybe inside your Helm charts) you can update your Ingress definition(s).

apiVersion: networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1
kind: Ingress
metadata:
  name: {{ .Release.Name}}-{{ .Values.baseName }}-ingress-spa
  namespace: {{ .Values.global.config.namespace }}
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/configuration-snippet: |
          more_clear_headers "Server";    
spec:
  tls:
  - hosts:

The key part is:

nginx.ingress.kubernetes.io/configuration-snippet: |
          more_clear_headers "Server";

This instructs nginx to clear the server header. After redeploying your application you should now see:

enter image description here

And voila, the server header is gone.

0
Aaron Roydhouse On

You can do this for the whole nginx ingress controller in the settings ConfigMap:

server-tokens: "false"