Loading ...
Apache Tips & Tricks: Hide PHP version (X-Powered-By)
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod-php4/mod-php5
Scope: php.ini
Type: security
Description: How to hide the PHP version to remote requests.
Useful: to not disclose un-needed information. As shown in “Discover the web server software and version of a remote server†anyone can find our valuable information from our apache server banner… This will show you how to suppress the PHP banner X-Powered-By.
If you have read my previous tip, “Hide apache software version“, you have seen how you can configure apache to provide only a minimal amount of information about the installed software versions in its banner. But if you are using the PHP module in your web server (as most of us are), then there is one additional step that need to be completed, and this is what I will show you in this tip.
After implementing the apache directives ServerTokens and ServerSignature as shown in “Hide apache software version“, we test its functionality against a regular html file and we get the following response:
HEAD http://remote_server.com/index.html
200 OK
Connection: close
Date: Fri, 16 Jun 2006 01:13:23 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 16 Jun 2006 21:42:53 GMT
Client-Peer: 192.168.0.102:80
Client-Response-Num: 1
This looks good. But if we do the same thing against an URL that is a PHP file:
HEAD http://remote_server.com/index.php
200 OK
Connection: close
Date: Fri, 16 Jun 2006 01:16:30 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 16 Jun 2006 21:48:13 GMT
Client-Peer: 192.168.0.102:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1 Ups… As we can see PHP adds its own banner:
X-Powered-By: PHP/5.1.2-1+b1…
Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.
By default expose_php is set to On.
In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:
expose_php = Off
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.
Go to:
Main page of all my Apache Tips & Tricks
Tags: apache-tips-and-tricks
Share This
27th July 2006, 22:09
very nice! thanks for share the tip!
19th September 2006, 09:29
ta, just what i was after
29th November 2006, 16:37
but how to suppress the message Content-type: text/html in php-cli mode ?
29th November 2006, 19:18
vlx,
I am not sure what you are trying to do… If you are running php from cli against a php file, the output is a html file (as seen by a browser). In some distributions (like Debian) the php-cli is controlled by a different php.ini file (/etc/php[4,5]/cli/php.ini).
20th June 2008, 21:51
don’t for get to do a /etc/init.d/httpd restart for this to take effect.
25th June 2008, 17:23
I have had some bugs in zended php files that prevented my site from running properly.
I finally found a program that can decompile the zended script. The website is for site owners who have lost their source code.
http://www.decode-zend-decoder.com
Hope this helps someone who is stuck like I was.