Changing the Server response header in Nginx Proxy Manager

This is going to be a very short post.

If you deployed Nginx Proxy Manager via Docker in your home directory you can edit this file with

nano ~/data/nginx/custom/http.conf

All you need to do is add the following at the top:

more_set_headers 'Server: CuteKitten';

Then, restart your Nginx Proxy Manager. If you’re using Docker, like I am, a simple docker compose restart will do the trick.

With this, the custom Server header will be applied to every request, including those to the Nginx Proxy Manager UI itself. If you check the response headers of this website, you’ll see the header I set—proof of how easy and effective this customization can be!

Understanding more_set_headers vs add_header

When working with Nginx Proxy Manager, you may encounter two ways to handle HTTP headers:

• add_header
• more_set_headers

What is add_header?

add_header is a built-in Nginx directive that allows you to add new headers to your HTTP responses. It’s great for straightforward use cases where you just want to include additional information in your response headers.

What is more_set_headers?

more_set_headers is part of the “headers_more” module, an extension not included in standard Nginx but available out of the box with Nginx Proxy Manager (since it uses OpenResty). This directive gives you much more flexibility:

• It can add, overwrite, or remove headers entirely.
• It works seamlessly with Nginx Proxy Manager, so there’s no need to install anything extra.

For more technical details, you can check out the official headers_more documentation.

When to Use add_header or more_set_headers

Here’s a quick guide to help you decide:

Use add_header if:

• You are just adding new headers to responses.
• You don’t need to modify or remove existing headers.

Example:

add_header X-Frame-Options SAMEORIGIN;

Use more_set_headers if:

• You need to replace or remove existing headers, such as Server or X-Powered-By.

• You want headers to apply to all responses, including error responses (e.g., 404, 500).

Example:

# Replace the default Nginx Server header
more_set_headers "Server: MyCustomServer";

Why Use more_set_headers?

The key advantage of more_set_headers is that it provides full control over your headers. For example:

• If you want to customize the Server header, add_header won’t work because the Server header is already set internally by Nginx, you would have to remove it first.

• more_set_headers can replace the Server header or even remove it entirely, which is particularly useful for security or branding purposes.

Since Nginx Proxy Manager includes the headers_more module by default, using more_set_headers is effortless and highly recommended for advanced header management.

A Note on Security

Many believe that masking or modifying the Server header improves security by hiding the server software you’re using. The idea is that attackers who can’t easily identify your web server (e.g., Nginx, Apache, OpenResty) or its version won’t know which exploits to try.

While this may sound logical, it’s not a foolproof defense:

• Why It May Be True: Obscuring server details could deter opportunistic attackers who rely on automated tools that scan for specific server types or versions.

• Why It May Be False: Determined attackers can often gather enough information from other headers, server behavior, or fingerprinting techniques to deduce what you’re running, regardless of the Server header.

Ultimately, changing the Server header should be seen as one small layer in a broader security strategy, not as a standalone solution. Real security comes from keeping your software updated, implementing proper access controls, and configuring firewalls—not just masking headers.