Headers

Headers More

Response headers, fully under your control. Add them, change them, nuke them entirely.

nginx-module-headers-more

Install

Make sure you have the official nginx.org repository configured first. These packages require nginx from nginx.org, not the distro-bundled version.

Add the Blendbyte repository if you haven't already:

Add Blendbyte repository 
sudo install -d -m 0755 /etc/apt/keyrings

curl -fsSL https://apt.blendbyte.net/nginx/blendbyte-archive-keyring.gpg \
  | sudo tee /etc/apt/keyrings/blendbyte.gpg >/dev/null

echo "deb [signed-by=/etc/apt/keyrings/blendbyte.gpg] https://apt.blendbyte.net/nginx $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/blendbyte.list

sudo apt update

Then install this module:

Install nginx-module-headers-more 
$ sudo apt install nginx-module-headers-more

Most modules auto-enable on install. If yours didn't, enable it manually:

Enable module manually (if needed) 
$ sudo ln -s /etc/nginx/modules-available/50-mod-headers-more.conf \
  /etc/nginx/modules-enabled/
$ sudo nginx -t && sudo systemctl reload nginx

What it does

Nginx's built-in add_header can add headers but can't modify or remove existing ones. Headers More fixes that. The more_set_headers directive sets or overwrites any header (including Server, which nginx normally guards), and more_clear_headers removes headers entirely. Essential for security headers that need to overwrite upstream values, removing information-leaking headers from upstream applications, implementing CORS headers at the proxy layer, or any situation where the standard header directives aren't cutting it. Works in server and location blocks with full phase control.

When to use it

  • Remove or replace the Server header to stop nginx version fingerprinting
  • Set security headers (HSTS, CSP, X-Frame-Options) reliably, overwriting upstream values
  • Strip X-Powered-By and other information-leaking headers from application responses
  • Implement CORS headers at nginx rather than in application code
  • Override upstream-set Cache-Control or other headers at the proxy layer

Configuration

A starting-point configuration. Adjust to your setup.

nginx.conf example 
# Inside your server {} or location {} block:
# Strip identifying headers
more_clear_headers Server X-Powered-By X-Generator;

# Set a custom value
more_set_headers 'Server: nginx';

# Security headers that overwrite whatever upstream sent
more_set_headers 'X-Frame-Options: SAMEORIGIN';
more_set_headers 'X-Content-Type-Options: nosniff';
more_set_headers 'Referrer-Policy: strict-origin-when-cross-origin';

Replacing a Sury package?

This module replaces libnginx-mod-http-headers-more-filter from the Sury nginx repository. The package declares Replaces and Conflicts so apt handles the swap automatically in one transaction.

Drop-in replacement 
# If you were using Sury, this upgrades in place:
sudo apt install nginx-module-headers-more

See the full migration guide for the complete Sury-to-Blendbyte migration steps.

Upstream project

This module is packaged from the upstream open-source project. Bug reports about module behaviour (not packaging) should go upstream.

https://github.com/openresty/headers-more-nginx-module ↗

← All modules