From ce5e07ccfab94ceb455621ab23773a3d5e1b6984 Mon Sep 17 00:00:00 2001
From: Jacky Lam <jacky.lam@r2studiohk.com>
Date: Thu, 2 May 2024 17:05:06 +0100
Subject: [PATCH] fix[security]: Disable nginx server signature by default
 (#7814)

---
 changelog.d/20240429_124319_jackylamhk_patch_2.md | 4 ++++
 cvat-ui/react_nginx.conf                          | 5 +++++
 cvat/nginx.conf                                   | 5 +++++
 3 files changed, 14 insertions(+)
 create mode 100644 changelog.d/20240429_124319_jackylamhk_patch_2.md

diff --git a/changelog.d/20240429_124319_jackylamhk_patch_2.md b/changelog.d/20240429_124319_jackylamhk_patch_2.md
new file mode 100644
index 000000000000..029f7148be04
--- /dev/null
+++ b/changelog.d/20240429_124319_jackylamhk_patch_2.md
@@ -0,0 +1,4 @@
+### Security
+
+- Disable the nginx server signature by default to make it slightly harder for attackers to find known vulnerabilities.
+  (<https://github.com/cvat-ai/cvat/pull/7814>)
diff --git a/cvat-ui/react_nginx.conf b/cvat-ui/react_nginx.conf
index 29ae133f3978..c3d51866beab 100644
--- a/cvat-ui/react_nginx.conf
+++ b/cvat-ui/react_nginx.conf
@@ -1,6 +1,11 @@
 server {
     root /usr/share/nginx/html;
 
+    # Disable server signature to make it slighty harder for
+    # attackers to find known vulnerabilities. See
+    # https://datatracker.ietf.org/doc/html/rfc9110#name-server
+    server_tokens off;
+    
     gzip on;
     gzip_comp_level 6;
     gzip_http_version 1.1;
diff --git a/cvat/nginx.conf b/cvat/nginx.conf
index a0ea97a07d00..5c67e4b1acd1 100644
--- a/cvat/nginx.conf
+++ b/cvat/nginx.conf
@@ -50,6 +50,11 @@ http {
 
     server_name _;
 
+    # Disable server signature to make it slighty harder for
+    # attackers to find known vulnerabilities. See
+    # https://datatracker.ietf.org/doc/html/rfc9110#name-server
+    server_tokens off;
+
     location /static/ {
       gzip on;
       gzip_comp_level 6;