EDIT -- the solution I posted below probably applies to any server (Nginx/Apache/anything else), because this header is set in Rails itself.
Anyone know where the "X-Runtime" header can be removed in Nginx & Passenger?
I've grepped the source files and haven't found anything yet, but I'd like to get rid of it for security since it's a telltale sign of Rails.
The following is for Apache. I didn't read the question correctly. :)
Enable the headers module, mod_headers, and add the following to Apache's configuration
Header always unset "X-Runtime"
You will probably also want to remove the X-Powered-By header so add the following too.
Header always unset "X-Powered-By"
Turned out it wasn't being set in either Nginx or Passenger.
It's in benchmarking.rb in /gems/actionpack-2.3.2/lib/action_controller/, line 90.
In Apache you can use mod_headers to remove any header from the response (or the request for that matter).
To remove the headers you need to enable the module:
# a2enmod headers
Then you can use the unset option fo the Header directive to unset them:
Header unset X-Runtime
Header unset X-Powered-By
This directive can be used both at the global level and for the single virtual-server
I know it's kinda old question but because problem still exists and many sites still expose it's passenger and nginx version I give answer which works very well for me. The same solution applies to X-Runtime header.
Just install 3rd party ngx_headers_more: http://github.com/agentzh/headers-more-nginx-module (you have to rebuild it from source). Add to your config (I created /etc/nginx/conf.d/security.conf for it): server_tokens off; more_clear_headers 'Server' 'X-Powered-By' 'X-Runtime';