Search code examples
kuberneteskubernetes-ingressnginx-ingress

How to remove the server header from Kubernetes deployed applications

I am asking this question in the style of question then answer.

If you create your Ingress objects for Helm charts or regular "kubectl apply" deployments, after deployment to your cluster, you might see the server header in your responses. This is regarded as a security concern. It should not be present.

enter image description here

You might not have control of your cluster or Ingress Controllers. How can you remove the header in question?

Solution

  • You might not have control of your cluster or Ingress Controllers, but you do have control of your Ingress manifests.

    In each of your Ingress manifest files (maybe inside your Helm charts) you can update your Ingress definition(s).

    apiVersion: networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1
kind: Ingress
metadata:
  name: {{ .Release.Name}}-{{ .Values.baseName }}-ingress-spa
  namespace: {{ .Values.global.config.namespace }}
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/configuration-snippet: |
          more_clear_headers "Server";    
spec:
  tls:
  - hosts:

    The key part is:

    nginx.ingress.kubernetes.io/configuration-snippet: |
          more_clear_headers "Server";

    This instructs nginx to clear the server header. After redeploying your application you should now see:

    enter image description here

    And voila, the server header is gone.