diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
index 295f29dc4..1362b54d8 100644
--- a/files/nginx/odk.conf.template
+++ b/files/nginx/odk.conf.template
@@ -1,5 +1,6 @@
 server {
   listen 443 default_server ssl;
+  server_tokens off;
 
   ssl_certificate /etc/nginx/ssl/nginx.default.crt;
   ssl_certificate_key /etc/nginx/ssl/nginx.default.key;
diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf
index 03239c726..91262fb98 100644
--- a/files/nginx/redirector.conf
+++ b/files/nginx/redirector.conf
@@ -5,6 +5,7 @@ server {
     listen 80 reuseport;
     listen [::]:80 reuseport;
     server_name ${DOMAIN};
+    server_tokens off;
 
     # Anything requesting this particular URL should be served content from
     # Certbot's folder so the HTTP-01 ACME challenges can be completed for the
@@ -24,6 +25,7 @@ server {
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
+    server_tokens off;
 
     return 421;
 }
diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh
index 6e45a665f..407fdb3c7 100755
--- a/files/nginx/setup-odk.sh
+++ b/files/nginx/setup-odk.sh
@@ -63,7 +63,7 @@ else
     echo "starting nginx for upstream ssl..."
   else
     # remove letsencrypt challenge reply, but keep 80 to 443 redirection
-    perl -i -ne 'print if $. < 8 || $. > 15' /etc/nginx/conf.d/redirector.conf
+    perl -i -ne 'print if $. < 9 || $. > 16' /etc/nginx/conf.d/redirector.conf
     echo "starting nginx for custom ssl and self-signed certs..."
   fi
   exec nginx -g "daemon off;"
diff --git a/test/nginx/run-tests.sh b/test/nginx/run-tests.sh
index 1a923c81c..1d9bab814 100755
--- a/test/nginx/run-tests.sh
+++ b/test/nginx/run-tests.sh
@@ -39,4 +39,16 @@ wait_for_http_response 5 localhost:9000 421
 
 npm run test:nginx
 
+log "Linting nginx config with gixy-ng..."
+# gixy-ng is a maintained fork of gixy: https://github.com/dvershinin/gixy
+# For version updates, see: https://pypi.org/project/gixy-ng/#history
+docker_compose exec nginx bash -euc '
+  apt update
+  apt install -y python3-venv
+  python3 -m venv .venv
+  . .venv/bin/activate
+  pip install gixy-ng==0.2.12
+  gixy -lll
+'
+
 log "Completed OK."