How to hide PHP version in the HTTP Headers

In default Apache/PHP configuration, the server sends HTTP Header with the information of which PHP version is running on the server. The HTTP response header “X-Powered-By” displays the version of PHP that is running on the server. This information can be used by hackers to try to exploit any vulnerabilities in the PHP version you are running, specially if you are running an older version with known vulnerabilities.

Sample HTTP Response Header:

HTTP/1.1 200 OK
Date: Sun, 04 Nov 2012 07:24:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,Cookie

Note: This is just one way to identify the version. Also, even if this information is not available hackers might still try to hack it using other ways.
There is an easy way to hide the PHP version from the HTTP headers. By setting the “expose_php” variable to Off in your php.ini file the PHP version would not longer be added to the HTTP headers. Use the following line in you php.ini file. Make sure to back up you file before editing so that in case something goes wrong you can easily revert.

expose_php = Off
Sample HTTP Response Header after adding the above line in php.ini file.

HTTP/1.1 200 OK
Date: Sun, 04 Nov 2012 07:24:47 GMT
Server: Apache
Vary: Accept-Encoding,Cookie
Note: Do not edit the php.ini file if you don’t know anything about it. Changing it can cause unexpected results and even cause your site to go offline. So edit it only if you are sure you can do it, else contact someone who knows about it.

Related posts:

  1. How to hide Nginx version number in headers and errors pages
  2. How to hide apache information with ServerTokens and ServerSignature directives
  3. How to remove WordPress version number
  4. How to Check Laravel Version through CLI / command prompt and file

3 thoughts on “How to hide PHP version in the HTTP Headers”

Leave a Reply