Headers

Headers More

Response headers, fully under your control. Add them, change them, nuke them entirely.

nginx-module-headers-more

Install

You'll need nginx from nginx.org configured first. These packages won't load on the distro nginx.

Add the Blendbyte repository if you haven't already:

Add Blendbyte repository 
sudo install -d -m 0755 /etc/apt/keyrings

curl -fsSL https://apt.blendbyte.net/nginx/blendbyte-archive-keyring.gpg \
  | sudo tee /etc/apt/keyrings/blendbyte.gpg >/dev/null

echo "deb [signed-by=/etc/apt/keyrings/blendbyte.gpg] https://apt.blendbyte.net/nginx $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/blendbyte.list

sudo apt update

Then install this module:

Install nginx-module-headers-more 
$ sudo apt install nginx-module-headers-more

Most modules auto-enable on install. If yours didn't:

Enable module manually (if needed) 
$ sudo ln -s /etc/nginx/modules-available/50-mod-headers-more.conf \
  /etc/nginx/modules-enabled/
$ sudo nginx -t && sudo systemctl reload nginx

What it does

Nginx's built-in add_header can add headers but can't touch existing ones. Headers More fixes that. The more_set_headers directive sets or overwrites any header, including Server (which nginx normally won't let you touch), and more_clear_headers removes them entirely. Handy for security headers that need to overwrite what upstream sent, stripping leaky headers from application responses, adding CORS headers at the proxy layer, or anywhere the standard directives fall short. Works in server and location blocks.

When to use it

  • Remove or replace the Server header to stop nginx version fingerprinting
  • Set security headers (HSTS, CSP, X-Frame-Options) reliably, overwriting upstream values
  • Strip X-Powered-By and other information-leaking headers from application responses
  • Implement CORS headers at nginx rather than in application code
  • Override upstream-set Cache-Control or other headers at the proxy layer

Configuration

A starting point. Adjust to taste.

nginx.conf example 
# Inside your server {} or location {} block:
# Strip identifying headers
more_clear_headers Server X-Powered-By X-Generator;

# Set a custom value
more_set_headers 'Server: nginx';

# Security headers that overwrite whatever upstream sent
more_set_headers 'X-Frame-Options: SAMEORIGIN';
more_set_headers 'X-Content-Type-Options: nosniff';
more_set_headers 'Referrer-Policy: strict-origin-when-cross-origin';

Replacing a Sury package?

This replaces libnginx-mod-http-headers-more-filter from the old Sury nginx repository. The package declares Replaces and Conflicts so apt handles the swap in one transaction. No manual cleanup needed.

Drop-in replacement 
# If you were using Sury, this upgrades in place:
sudo apt install nginx-module-headers-more

See the full migration guide for the complete Sury-to-Blendbyte migration steps.

Upstream project

We package this from the upstream open-source project. If it's a bug in the module itself (not in our packaging), report it upstream.

https://github.com/openresty/headers-more-nginx-module ↗

← All modules