The PHP configuration defaults to allow the server to display the PHP version installed on the server in HTTP response header x-powered-by. For server security reasons (although not the primary threat to be feared), it is recommended that you disable or hide this information to avoid attackers who are targeting your server to know if you are running PHP. In this article, we will explain how to hide or close the PHP version number in the server HTTP response header.
The PHP configuration defaults to allow the server to display the PHP version installed on the server in HTTP response header x-powered-by.
For server security reasons (although not the primary threat to be feared), it is recommended that you disable or hide this information to avoid attackers who are targeting your server to know if you are running PHP.
Assuming that a specific version of PHP installed on your server has a security vulnerability, and attackers understand this, they will be more vulnerable to exploiting the vulnerability and accessing the server through scripting.
In my previous article, I have shown how to hide the Apache version number, and you have seen how to no longer display the Apache installation version. But if you run PHP on your Apache server, you also need to hide the PHP installation version, which we'll show in this article.
Therefore, in this article, we will explain how to hide or close the PHP version number in the server HTTP response header.
This setting can be configured in the loaded PHP configuration file. If you do not know the location of this profile on the server, run the following command to locate it:
- $ php-i | grep "Loaded Configuration File"
PHP Configuration file Location
- ----------------on the Centos/rhel/fedora----------------
- Loaded Configuration File =/etc/php.ini
- ----------------on the Debian/ubuntu/linux Mint----------------
- Loaded Configuration File =/etc/php/7.0/cli/php.ini
Before making any changes to the PHP configuration file, I recommend that you first back up your PHP configuration file as follows:
- ----------------on the Centos/rhel/fedora----------------
- $ sudo cp/etc/php.ini/etc/php.ini.orig
- ----------------on the Debian/ubuntu/linux Mint----------------
- $ sudo cp/etc/php/7.0/cli/php.ini/etc/php/7.0/cli/php.ini.orig
With your favorite editor, open the file with Super User privileges:
- ----------------on the Centos/rhel/fedora----------------
- $ sudo vi/etc/php.ini
- ----------------on the Debian/ubuntu/linux Mint----------------
- $ sudo vi/etc/php/7.0/cli/php.ini
Navigate to the keyword expose_php and set the value to OFF:
- expose_php = Off
Save and exit the file. After that, restart the Web server:
- ----------------Use SystemD----------------
- $ sudo systemctl restart httpd or
- $ sudo systemctl restart Apache2
- ----------------Use Sysvinit----------------
- $ sudo service httpd restart or
- $ sudo service apache2 restart
Last but not least, use the following command to check if the server HTTP response header still displays your PHP version number.
- Lynx-head-mime_header http://localhost
- Or
- $ lynx-head-mime_header http://server-address
The meaning of the symbol here is:
- -head– sends a HEAD request that requests a MIME header.
- -mime_header– Prints the MIME header of the extracted document and its source code.
Note: Make sure that the command line Web browser Lynx is already installed on your system.
That's it! In this article, we explain how to hide the PHP version number in the server HTTP response header to protect the Web server from possible attacks. You can leave your thoughts or related questions in the comments section below.
How to hide the PHP version number in the HTTP header