Default nginx config: Turn off server tokens

[im-fabian]

Hi!

I really like the package. I would suggest the following change to the default nginx.conf:

server_tokens off;

It's a common security best practice not to expose which software version you're using.

[Pilskalns]

Hi,

Though I agree with that, at the moment it would not be convenient to set that:

1. The config file(s) that package ships with - it is 1:1 to the one that nginx itself ships with only exception that it is sliced in the middle to allow multiple server files in the conf.d directory (see more in the readme). It kind of mimics the configuration layout typically found on Linux nginx envrioments.
2. In my experience nginx on Windows is really really stable running months or even years without a hitch in a production setting, but it is not meant for production network loads - only one of the worker threads handle actual requests, so
3. The package, in general, is geared towards easy setup/debug/development on Windows - seeing in responses which version you are connected to is not a bad thing, esp if one is a novice to how the internet works.
4. You can still set the server_tokens off; in per-server or even location (the conf.d files are not changed upon package upgrades).
5. Even seeing nginx version itself I don't see as big threat tbh. One would rather be more worried to expose the version of PHP/frameworks/any other software layer behind the nginx. Nginx role typically is very transparent - it either serves files or works as a gate to other software.

Nevertheless, thanks for the improvement suggestion, much appreciated.