Set expose_php to Off in php.ini To Hide PHP Version Information on Web Server

PHP (Hypertest Preprocessor) is a server-side HTML embedded scripting language that is very popular for web development. When PHP is running on a web server, each and every request to the web server will return the following line of header with PHP version information to the browser.

X-Powered-By: PHP/[version]

The X-Powered-By header info is controlled by expose_php core php.ini directive. expose_php determines whether web server will report that PHP is being used to process the request, and what version of PHP is installed to every request. expose_php is enabled by default, so the information is sent on each HTTP and HTTPS request.

While PHP is generally reliable and secure, older and outdated versions of PHP may contain security holes and bugs. Although there is no problem leaving PHP version info exposed, and enable expose_php is not classified as security risk, but malicious hackers looking for potentially vulnerable targets can use PHP version installed on a web server to identify a weakness. By turning off expose_php, the existence and version of PHP is hidden, and help lower threat to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets. Although websites not using SEO-optimized URL structures may still potentially been seen by human as running PHP from link location (e.g. index.php?variable=value), but bots and automated scripts from novice attackers may be fooled.

So it’s recommended disable and turn expose_php off. Webmasters can disable expose_php in the php.ini file, usually located in /etc, /usr/lib, /usr/local/lib or /usr/local/lib/php/:

; Disable expose_php for security reasons
expose_php = Off

Tip: Setting expose_php to Off in php.ini does not prevent or stop php_info() function from executing.

This entry was posted on Wednesday, July 15th, 2009 at 2:47 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to comments feature has been disabled. To receive notification of latest comments posted, subscribe to My Digital Life Comments RSS feed or register to receive new comments in daily email digest.
« Samsung HMX-U10 Pocket-Sized Full HD Camcorder With One-Touch Youtube Upload Button
RIM To Launch Own Online Music Download Service »

New Articles

Incoming Search Terms for the Article

expose_php - php expose_php - expose_php off - php.ini expose_php - php.ini hide php - expose_php php.ini - what is expose_php - php hide server info - expose_php=off - Change the expose_php line to: expose_php = Off - expose_php php ini - expose php+php_ini - expose_php + php.ini - php warning hide php.ini - php ini expose_php - expose_php = Off - expose_php off or on - how to turn expose_php off - disable "expose_php" in php.ini - expose_php to - expose_php what is - IIS hide php version - security risks of php activation on a server - expose_php off - expose_php in file - php.ini security - cpanel expose_php setting location -