Turning expose_php OFF in php.ini

Question

I have been advised that having expose_php = On in my php.ini is a security issue and is, therefor, not PCI compliant.

My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.

Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?

Should this be a seamless change or does this have the potential for problems?

Answer 1

That's correct.

Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header.

While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection.

In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP.

In anycase, for them to rely on the "consumer's" PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator.

Therefore, it shouldn't be a problem turning it off.

Answer 2

There should be no negative side effects when you disable expose_php.

All it does is remove the X-Powered-By header and stop GET params from returning PHP credits and images.

Any third party application that relies on the header is dodgy. You can always spoof the header if required.