Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Hiding PHP's X-Powered-By header

I know in PHP, it sends the X-Powered-By header to have the PHP version.

I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).

I also know in php.ini you can turn expose_php = off.

But here is something I have done on a few sites, and that is use

header('X-Powered-By: Alex'); 

When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?

By the way, this is not for security by obscurity, just curious how headers work in PHP.

like image 727
alex Avatar asked Feb 23 '10 14:02

alex


People also ask

How do I get rid of X-powered-by HTTP response headers in WordPress?

Remove X-Powered-By via WP AdminifyLogin to your dashboard and install WP Adminify plugin first. Then navigate to WP Adminify > Tweaks > HTTP Response. Search for “Remove X-Powered-By from HTTP Headers” option and enable it.

How do you know if X is powered by?

We find the first item, this is the HTML, the basic structure of the website. In the right half of the Inspect pane, we select the headers tab and scroll down to find the “X-Powered-By” header.


2 Answers

You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.

PHP first compiles everything (including which headers have which values ) and then start the output, not vice-versa.

PHP is also detectable with its own easter eggs, you can read about this topic here : PHP Easter Eggs

like image 163
Kemo Avatar answered Sep 20 '22 15:09

Kemo


See Apache Tips & Tricks: Hide PHP version (X-Powered-By)

Ups… As we can see PHP adds its own banner:

X-Powered-By: PHP/5.1.2-1+b1… 

Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.

By default expose_php is set to On.

In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing expose_php On and set it to Off:

expose_php = Off 

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

like image 31
cletus Avatar answered Sep 19 '22 15:09

cletus