Apache Tips & Tricks: Hide PHP version (X-Powered-By)
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod-php4/mod-php5
Scope: php.ini
Type: security
Description: How to hide the PHP version to remote requests.
Useful: to not disclose un-needed information. As shown in Discover the web server software and version of a remote server anyone can find our valuable information from our apache server banner… This will show you how to suppress the PHP banner X-Powered-By.
If you have read my previous tip, “Hide apache software version”, you have seen how you can configure apache to provide only a minimal amount of information about the installed software versions in its banner. But if you are using the PHP module in your web server (as most of us are), then there is one additional step that need to be completed, and this is what I will show you in this tip.
After implementing the apache directives ServerTokens and ServerSignature as shown in “Hide apache software version”, we test its functionality against a regular html file and we get the following response:
HEAD http://remote_server.com/index.html
200 OK
Connection: close
Date: Fri, 16 Jun 2006 01:13:23 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 16 Jun 2006 21:42:53 GMT
Client-Peer: 192.168.0.102:80
Client-Response-Num: 1
This looks good. But if we do the same thing against an URL that is a PHP file:
HEAD http://remote_server.com/index.php
200 OK
Connection: close
Date: Fri, 16 Jun 2006 01:16:30 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 16 Jun 2006 21:48:13 GMT
Client-Peer: 192.168.0.102:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1
Ups… As we can see PHP adds its own banner: X-Powered-By: PHP/5.1.2-1+b1…
Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off. _ By default expose_php is set to On_. In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “exposephp On” and set it to Off:
expose_php = Off
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.