PHP - How to hide X-Powered-by in HTTP headers

Last update: Apr 3, 2024
Views: 33
Author: Admin

WE ARE ON YOUTUBE

Hello colleagues.

In today's article, we'll talk about how you can quickly and easily hide your PHP interpreter version in HTTP headers.

When a user sends a request to your site, this request is first processed by your Apache or Nginx web server and then the web server redirects this request to your interpreter, in our case it is PHP. After PHP processes the request, it will return the response back to the web server, and the web server will return the entire result to the user. In this very result, namely in HTTP headers, in addition to all information about the server, the version of your PHP interpreter that you currently have installed on the server is also transmitted, and this may already be dangerous for the security of your web application.

Hiding your PHP interpreter version from prying eyes can help you keep your web application secure. I draw your attention to the fact that the way to hide the version of your PHP interpreter will only help with certain types of attacks, when the robot is looking for a specific version with a specific vulnerability.

By default, your Apache or Nginx web server will send the PHP version number in HTTP headers. The name of the header that is responsible for the PHP version is called X-Powered-By.

php hide version

As you can see from the screenshot, our web server transmits the version of PHP that we have installed.

In order to hide information about our PHP interpreter, you need to change the expose_php setting which is located in the main configuration file called php.ini located in the /etc directory.

Open the php.ini configuration file with any text editor convenient for you.

$. sudo vim /etc/php.ini

Find the parameter expose_php in the file .

php hide version