Change server-tokens default value to false

docs/deploy/hardening-guide.md

@@ -58,7 +58,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho
 | 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)| RISK TO BE ACCEPTED| Not configured, however the nginx default is 60s| Not configurable|
 | ||| |
 | __2.5 Information Disclosure__||| |
-| 2.5.1 Ensure server_tokens directive is set to `off` (Scored) | OK | server_tokens is configured to off by defaukt| |
+| 2.5.1 Ensure server_tokens directive is set to `off` (Scored) | OK | server_tokens is configured to off by default| |
 | 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored) | ACTION NEEDED| 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded [see this line in nginx source code](https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36) | configure custom error pages at least for 403, 404 and 503 and 500|
 | 2.5.3 Ensure hidden file serving is disabled (Not Scored) | ACTION NEEDED | config not set | configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please |
 | 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)| ACTION NEEDED| hide not configured| configure hide-headers with array of "X-Powered-By" and "Server": [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers) |

docs/user-guide/nginx-configuration/configmap.md

@@ -79,7 +79,7 @@ The following table shows a configuration option's name, type, and the default v
 |[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64|
 |[plugins](#plugins)|[]string| |
 |[reuse-port](#reuse-port)|bool|"true"|
-|[server-tokens](#server-tokens)|bool|"true"|
+|[server-tokens](#server-tokens)|bool|"false"|
 |[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"|
 |[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"|
 |[ssl-dh-param](#ssl-dh-param)|string|""|
@@ -498,7 +498,7 @@ Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx
 
 ## server-tokens
 
-Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is enabled
+Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is disabled
 
 ## ssl-ciphers
 

internal/ingress/controller/config/config.go

@@ -753,7 +753,7 @@ func NewDefault() Configuration {
 		ProxyHeadersHashBucketSize:       64,
 		ProxyStreamResponses:             1,
 		ReusePort:                        true,
-		ShowServerTokens:                 true,
+		ShowServerTokens:                 false,
 		SSLBufferSize:                    sslBufferSize,
 		SSLCiphers:                       sslCiphers,
 		SSLECDHCurve:                     "auto",

test/e2e/settings/pod_security_policy.go

@@ -79,7 +79,7 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies", func(
 
 		f.WaitForNginxConfiguration(
 			func(cfg string) bool {
-				return strings.Contains(cfg, "server_tokens on")
+				return strings.Contains(cfg, "server_tokens off")
 			})
 
 		f.HTTPTestClient().

test/e2e/settings/pod_security_policy_volumes.go

@@ -102,7 +102,7 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with vo
 
 		f.WaitForNginxConfiguration(
 			func(cfg string) bool {
-				return strings.Contains(cfg, "server_tokens on")
+				return strings.Contains(cfg, "server_tokens off")
 			})
 
 		f.HTTPTestClient().