Motivation
Standard nginx only exposes add_header, which can only add headers. There's no way to strip or rewrite headers nginx (or upstream) emits. This shows up in two common scenarios for users of the image:
- Replacing the default
Server header. Security audits routinely flag the version-leaking nginx/1.x.x server header. server_tokens off reduces it to plain nginx, but lots of teams want a custom brand string ("Acme API", "Foo Marketing") or no Server header at all.
- Removing redundant or noisy headers added by upstreams or PHP-FPM (e.g.
X-Powered-By, X-Generator).
add_header cannot do either. The community standard is the headers-more-nginx-module, which provides more_set_headers and more_clear_headers.
Proposal
- Compile
headers-more-nginx-module into the nginx build for all php-fpm-nginx variants
- Optionally surface a small ENV convenience:
NGINX_SERVER_HEADER → emits more_set_headers 'Server: $value' when set
Cost
- ~50 KB to image size
- No runtime overhead (statically compiled into nginx binary)
- Widely deployed, stable upstream module
Acceptance criteria
Motivation
Standard nginx only exposes
add_header, which can only add headers. There's no way to strip or rewrite headers nginx (or upstream) emits. This shows up in two common scenarios for users of the image:Serverheader. Security audits routinely flag the version-leakingnginx/1.x.xserver header.server_tokens offreduces it to plainnginx, but lots of teams want a custom brand string ("Acme API", "Foo Marketing") or no Server header at all.X-Powered-By,X-Generator).add_headercannot do either. The community standard is theheaders-more-nginx-module, which providesmore_set_headersandmore_clear_headers.Proposal
headers-more-nginx-moduleinto the nginx build for allphp-fpm-nginxvariantsNGINX_SERVER_HEADER→ emitsmore_set_headers 'Server: $value'when setCost
Acceptance criteria
more_set_headersdirective available in allphp-fpm-nginximagesmore_clear_headersdirective availableNGINX_SERVER_HEADERENV var (or equivalent) for the common server-rebrand case