Remove X-Powered-By php from HTTP response header

Why its a good idea to hide X-Powered-By PHP

How to hide the PHP version in the HTTP Response Headers otherwise know as (remove the X-Powered-By php version). To not let everyone else know that we are using php or maybe an old version of php we can hide this information from the response headers. For a security point of view this is a very good thing to do because we do not want to show our vulnerable information in the response headers. By hiding this information we discourage hackers to try to exploit these vulnerabilities.

More security settings

I also have other tutorials that will help you hide your nginx version number or to rename the server attribute completely. I recommend you to check them out if you care about securing your web server.

Remove X-Powered-By PHP

Locate your php.ini file. If you installed a default version using linux apt-get command then you can find the file as following:

sudo nano /etc/php5/fpm/php.ini

Look for the expose_php attribute on the default configuration file it is somewhere at line 366. To disable the php version in the HTTP Response Headers set the expose_php to Off. This will eliminate the X-Powered-By php sent from the HTTP Response Header.

expose_php = Off

Restart php

sudo service php5-fpm restart

Testing the output

To test your HTTP Response Headers I use curl -I. The -I option will give us the response headers back.

curl -I example.com

As you can see the X-Powered-By is no longer located in the HTTP Response Headers.

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Nov 2014 21:00:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding

You may also like...