Applies: apache 1.3.x / apache 2.0.x Required apache module: mod-php4/mod-php5 Scope: php.ini Type: security
Description: How to hide the PHP version to remote requests. Useful: to not disclose un-needed information. As shown in Discover the web server software and version of a remote server anyone can find our valuable information from our apache server banner… This will show you how to suppress the PHP banner X-Powered-By.
If you have read my previous tip, ”Hide apache software version”, you have seen how you can configure apache to provide only a minimal amount of information about the installed software versions in its banner. But if you are using the PHP module in your web server (as most of us are), then there is one additional step that need to be completed, and this is what I will show you in this tip.
After implementing the apache directives ServerTokens and ServerSignatureas shown in ”Hide apache software version”, we test its functionality against a regular html file and we get the following response:
HEAD http://remote_server.com/index.html 200 OK Connection: close Date: Fri, 16 Jun 2006 01:13:23 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Fri, 16 Jun 2006 21:42:53 GMT Client-Peer: 192.168.0.102:80 Client-Response-Num: 1
This looks good. But if we do the same thing against an URL that is a PHP file:
HEAD http://remote_server.com/index.php 200 OK Connection: close Date: Fri, 16 Jun 2006 01:16:30 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Fri, 16 Jun 2006 21:48:13 GMT Client-Peer: 192.168.0.102:80 Client-Response-Num: 1 X-Powered-By: PHP/5.1.2-1+b1
Ups… As we can see PHP adds its own banner: X-Powered-By: PHP/5.1.2-1+b1…
Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off. _ By default expose_php is set to On. In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On”_ and set it to Off:
expose_php = Off
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.