How to remove "X-Runtime" header from Nginx/Passenger?

For anyone who is still stumbling on this, I believe the simplest and most correct way to do it is in config/application.rb, by adding the following:

config.middleware.delete(Rack::Runtime)

All the other methods seem to not so much disable the header as filter it from the output. This is for rails4, not sure if it applies to other versions.

Update:

The following code in an initializer file may be more robust as the existence of Rack::Runtime middleware might be assumed by some other components.

Rails.application.config.middleware.delete(Rack::Runtime)

Turned out it wasn't being set in either Nginx or Passenger.

It's in benchmarking.rb in /gems/actionpack-2.3.2/lib/action_controller/, line 90.

I know it's kinda old question but because problem still exists and many sites still expose it's passenger and nginx version I give answer which works very well for me. The same solution applies to X-Runtime header.

Just install 3rd party ngx_headers_more: http://github.com/agentzh/headers-more-nginx-module (you have to rebuild it from source). Add to your config (I created /etc/nginx/conf.d/security.conf for it):server_tokens off;more_clear_headers 'Server' 'X-Powered-By' 'X-Runtime';