Apache Tips & Tricks: Hide PHP Version (X-Powered-By)

RussianRoot 18/07/2013 0
Apache Tips & Tricks: Hide PHP Version (X-Powered-By)

Applies: apache 1.3.x / apache 2.0.x Required apache module: mod-php4/mod-php5 Scope: php.ini Type: security

Description: How to hide the PHP version to remote requests. Useful: to not disclose un-needed information. As shown in”Discover the web server software and version of a remote server“ anyone can find our valuable information from our apache server banner… This will show you how to suppress the PHP banner X-Powered-By.

If you have read my previous tip, ”Hide apache software version”, you have seen how you can configure apache to provide only a minimal amount of information about the installed software versions in its banner. But if you are using the PHP module in your web server (as most of us are), then there is one additional step that need to be completed, and this is what I will show you in this tip.

After implementing the apache directives ServerTokens and ServerSignature as shown in ”Hide apache software version”, we test its functionality against a regular html file and we get the following response:

This looks good. But if we do the same thing against an URL that is a PHP file:

Ups… As we can see PHP adds its own banner: X-Powered-By: PHP/5.1.2-1+b1

Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off. _ By default expose_php is set to On. In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On”_ and set it to Off:

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

Leave A Response »

2 × = 8

Warning: require_once(/www/htdocs/w00e1ca9/domainpool/russianroot.net): failed to open stream: No such file or directory in /www/htdocs/w00e1ca9/domainpool/russianroot.net/wp-content/themes/aven/footer.php on line 48

Fatal error: require_once(): Failed opening required '' (include_path='.:/usr/share/php:..') in /www/htdocs/w00e1ca9/domainpool/russianroot.net/wp-content/themes/aven/footer.php on line 48