I have been advised that having expose_php = On
in my php.ini is a security issue and is, therefor, not PCI compliant.
My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.
Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?
Should this be a seamless change or does this have the potential for problems?
There are no known risks of disabling expose_php on a web server. Most Third Party services are agnostic to PHP version, and would not need this information exposed in order to function properly.
Using the expose_php directive Similarly, some third-party applications require the expose_php directive to be disabled. To verify the current value of the expose_php directive and other directives, you can use the phpinfo() function.
ini using disable_functions directive. This directive allows you to disable certain functions for security reasons.
That's correct.
Setting expose_php = Off
just prevents the webserver from sending back the X-Powered-By
header.
While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection.
In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP.
In anycase, for them to rely on the "consumer's" PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator.
Therefore, it shouldn't be a problem turning it off.
There should be no negative side effects when you disable expose_php
.
All it does is remove the X-Powered-By
header and stop GET params from returning PHP credits and images.
Any third party application that relies on the header is dodgy. You can always spoof the header if required.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With