Set expose_php to Off in php.ini To Hide PHP Version Information on Web Server

PHP (Hypertest Preprocessor) is a server-side HTML embedded scripting language that is very popular for web development. When PHP is running on a web server, each and every request to the web server will return the following line of header with PHP version information to the browser.

X-Powered-By: PHP/[version]

The X-Powered-By header info is controlled by expose_php core php.ini directive. expose_php determines whether web server will report that PHP is being used to process the request, and what version of PHP is installed to every request. expose_php is enabled by default, so the information is sent on each HTTP and HTTPS request.

While PHP is generally reliable and secure, older and outdated versions of PHP may contain security holes and bugs. Although there is no problem leaving PHP version info exposed, and enable expose_php is not classified as security risk, but malicious hackers looking for potentially vulnerable targets can use PHP version installed on a web server to identify a weakness. By turning off expose_php, the existence and version of PHP is hidden, and help lower threat to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets. Although websites not using SEO-optimized URL structures may still potentially been seen by human as running PHP from link location (e.g. index.php?variable=value), but bots and automated scripts from novice attackers may be fooled.

So it’s recommended disable and turn expose_php off. Webmasters can disable expose_php in the php.ini file, usually located in /etc, /usr/lib, /usr/local/lib or /usr/local/lib/php/:

; Disable expose_php for security reasons
expose_php = Off

Tip: Setting expose_php to Off in php.ini does not prevent or stop php_info() function from executing.


This entry was posted on Wednesday, July 15th, 2009 at 2:47 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to comments feature has been disabled. To receive notification of latest comments posted, subscribe to My Digital Life Comments RSS feed or register to receive new comments in daily email digest.
« Samsung HMX-U10 Pocket-Sized Full HD Camcorder With One-Touch Youtube Upload Button
RIM To Launch Own Online Music Download Service »

Custom Search

New Articles

Incoming Search Terms for the Article

expose_php - expose_php php.ini - php.ini hide errors - php.ini expose_php = Off - hiding the php path on a site - what can set at php .ini file in youtube video at mail in php - change php expose_php - disable php version php.ini - expose_php in php.ini - Expose_php Set to On in php.ini - expose_php test - hide information in header() php - php ini set hide warnings - Reconnaissance php version - php.ini anti dos - expose_php = Off - x-powered-by php expose_php still there - php expolse php - "expose_php" - expose_php to Off - php.ini security - php expose_php - php hidden version php.ini - expose_php cpanel - what is expose_php - expose_php on off - Disable expose_php in php.ini - how to Change the expose_php line - Set it to off in php.ini -