I have a website made on PHP version 7. My website is vulnerable to server banner grabbing. How can we solve this?
I have tried adding the following directives in Apache configuration file/etc/apache2/httpd.conf
ServerTokens Prod
ServerSignature Off
For HTTP communications, server banners are transmitted as HTTP headers. These come as name/value pairs like Server: Apache. PHP is known for adding an X-Powered-By header to each page, containing the PHP version as the value. For removing it, see
Hiding PHP's X-Powered-By header
Related
I am currently trying to configure the response headers for a Wordpress website.
Web Server: Apache 2
Operating System: Ubuntu 16.04
Right now, I have figured out that I am able to modify the HTTP response headers for the website through 3 different ways:
Configuring apache2.conf in /etc/apache2
Configuring the .htaccess file within the Wordpress directory
(I do not have mod_headers.c therefore I cannot use this method)
Directly specifying the headers to use in the header.php file of the current Wordpress theme
Previously I set the website's response headers through directly specifying the HTTP headers in the header.php file (which contains all the scripts and whatnot to be used for each page). However right now, I'm trying to move all header configuration into apache2.conf such that all sites hosted on the server have the same response headers.
However, after restarting the Apache server, I am getting duplicate response headers even though I had removed all header declarations from the header.php file, and I am not sure why...
Because of security issues, the authorities of the main domain that my department's site is on is requiring us to only specify one instance of each HTTP header.
Does anyone know how to resolve this issue, also, what are the best practices for setting HTTP response headers for sites hosted on an Apache 2 server?
I am trying to login with ajax to an API and I get this error:
XMLHttpRequest cannot load. The 'Access-Control-Allow-Origin' header
has a value that is not equal to the supplied origin. Origin
'http://localhost' is therefore not allowed access.
I read all about this error, all over the internet, and I've tried all the solutions I could find online. I modified the .htaccess and apache httpd configuration file according to the CORS instructions here: http://enable-cors.org/server_apache.html
Access-Control-Allow-Origin: *
Nothing seems to be working. I'd really appreciate if you guys can help me out with this. Thank you!
You have to set Access-Control-Allow-Origin header to * or specified value http://localhost
You can do this through:
1- Your code
2- .htaccess file
3- Server config (restart web server required)
Here is the link that show how to do it on apache
http://access-control-allow-origin-guide.com/enable-cors-on-apache-linux/
As added browser security, unless the API allows cross-browser origins in the the return responses header there is no way around this.
The browsers are blocking it, there is a plugin to allow for chrome but it is not realistic to depend on browser plugin to allow end user requests,
Try and reach out to the API provider and see if they can look into updating the header in the response.
It is a CORS issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
i use htaccess file for load JSON data in different hosting, and its works but
it have to put inside the public html root of our web hosting for example
uploading .htaccess into --> (https://freehostingsomewhere.com/)
then inside .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|jpg|png|jpeg|gif|js|json|html|css)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://localhost"
</IfModule>
</FilesMatch>
in here i use http://localhost to development and it works,
maybe if i have another web host just change it into that url, i will try it later (it can, i already try it) :p
this is just for more clear explanation
cheers :p
Are your requests using either cookies or authorization by any chance?
Check on your ajax call on the client side if you're configuring it to be done "with credentials"
.withCredentials = true;
If yes, the wildcard(*) will not work and you'll need to provide the exact host as the value for Access-Control-Allow-Origin.
Refer to this stack overflow answer or Mozilla Documentation on CORS
I am working on a website that is not on my own server, I do not have much (any) access to the server settings outside of the website SFTP.
The server previously ran PHP 5.21 and I used
header("X-Powered-By:");
To overwrite and remove the X-Powered-By header. This worked, but I have found that since the server was updated to PHP 5.6 that this no longer works, and the headers produced is:
X-Powered-By:
X-Powered-By: PleskLin
I didn't expect multiple lines of the same header, so I tried adding code to the page
header_remove("X-powered-by");
but the PleskLin header remains. Obviously the header is being added after PHP is processing the page, so bearing that in mind and it's a server I am really not familiar with.
Also running
header_remove();
Does not remove the X-Powered-By header but does remove other PHP set headers.
Is there a way I can remove this header within PHP?
How can I remove this header on the server, if it can't be removed by PHP (I can email the server owner and ask them to change a setting but they're not very tech' savvy in my few previous experiences with them).
I have found that setting header_remove in the PHP and (strangely) also adding an .htaccess with the following does remove all X-Powered-By headers:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule>
To explain:
Original header given out is :
x-Powered By: Plesklin
If I simply added the .htaccess removal code, the header became
X-Powered-By: PHP 5.6.1
but then combined with the on-page header_remove('X-Powered-By') this cleared all values for that particular header.
The only way you can do this is to ask the host to set expose_php to off in the php.ini file for you.
I want to add the following settings to my server:
ServerSignature Off
ServerTokens Prod
However after research I have to add these settings in my httpd.conf or apache2.conf file. It wont work in my php.ini or .htaccess on my public webroot. If I have not got access to these two server files (httpd.conf or apache2.conf) how can I get access or is there an alternative way to get these settings to work. It is a security issue I need to sort out ASAP. Thanks
No, you can't configure Apache (as these are apache settings) via php nor any other language.
You may hide these values from showing on error pages with a little of mod_rewrite that any request to your server or web application gets directed to a php script that outputs whatever error you want.
These values are also shown in the http response headers that apache sends to the browser, so maybe you can overwrite them with php via the header function, using the optional param $bool_replace = true (which is the default value):
header("Server: IIS/6.0", true); // this will fool observers
header("X-Powered-By: Feces-Throwing-Monkey 3.14", true);
edit: Judging from a comment in php's header documentation, this works, and you should also overwrite the X-Powered-By header.
According to RFC 2616, which defines HTTP/1.1, the Host: header is mandatory.
A client MUST include a Host header field in all HTTP/1.1 request messages .
But the PHP manual implies that it could be empty:
'HTTP_HOST': Contents of the Host: header from the current request, if there is one.
In which situations could this header, and thus $_SERVER['HTTP_HOST'], be empty? Could my application depend on its being there?
It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.
I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST'] variable got set to the name of the virtual host, which is _ in my case. But that also depends on your fastcgi_params configuration in Nginx.
On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.
Crawlers (e.g. google), scrapers or even perfectly legal scripts interfacing with your API may accidentally or ignorantly skip the Host header.
I added this answer because this question came up on google when I looked for the same thing.