Remove the HTTP `server` header from the omnibus embedded nginx

Hello,
We regularly run penetration tests on our self-hosted gitlab instance.
We have a medium alert regarding our configuration because http headers reveal the nginx http server type.

> curl -I https://your-self-hosted-instance.com
...
server: nginx
...

Even if the version is not displayed, it is a best practice to completely remove this header.
It could avoid attackers to look up Common Vulnerabilities and Exposures (CVEs) for nginx.

By default GitLab sets the server_tokens nginx directive to off value.
As mentioned it avoids to display the Nginx version.
The commercial edition of Nginx allows to set an empty string as paramater. But GitLab does not provide the commercial edition of nginx in its embedded omnibus binaries.

Could you please consider to suppress this header ?

It could be possible by using an external nginx module as ngx_security_headers.

We already know it is possible to deploy a non bundled web server but for many reasons we want to avoid it.

Regards,

Edited by Thomas CAZALI