I recently noticed that my website was returning the value 'nginx' in my Server header which was odd because I build NginX form source and specifically change the value. It turns out that additional changes are required to update the value of the header when using HTTP/2. Here's how.
I have a blog on how to change and customise various HTTP response headers that a server or application may return my default. Titled Hardening your HTTP response headers it covers various headers including the Server header. I found it a little odd that I'd customised NginX to return a custom value in the Server header but was still seeing the default string. On securityheaders.io I was seeing the custom value but Chrome was showing me the default value. In the end I realised that the difference was that securityheaders.io was using HTTP/1.1 and Chrome was using HTTP/2. NginX was returning a different value depending on the protocol version used.
New for HTTP/2
Alongside the changes outlined in the above article, you need to modify a second file if you're using HTTP/2.
The path and specific line number may change depending on your version but this is the line you're looking for:
It will probably change over time but it looks like this:
static const u_char nginx = "\x84\xaa\x63\x55\xe7";
What you're seeing is the string "nginx" in its compressed form. In HTTP/2 we get header compression, amongst a load of other benefits, and the string is already compressed in the source. To change the value in the header we simply need to modify this variable. To do that I've created a little tool called HPACK-Encode which is available at GitHub. It's a simple Go script that will take a string of your choice and output the appropriate line of code to replace the one above with.
static const u_char nginx = "\x95\xc1\x51\x2c\xf5\x5a\x54\x86\x8a\x14\xdf\x39\x54\xdf\x39\xaa\x99\x1f\xc7\xf1\xfc\x7f";
You can have a maximum of 63 characters and once you've made the change, save the file, exit and then build NginX as you normally would and you will get your new Server header value over HTTP/2 as well!