I want to hide my php version in response headers and for that I changed expose_php to off but it does not work
and I added Header unset X-Powered-By to my htaccess file but in did not work either
can you guide me for that?
and I added Header unset X-Powered-By to my htaccess file but in did not work either
Depending on which group the X-Powered-By header has been set, you may need to use the always condition (instead of the default onsuccess). For example:
Header always unset X-Powered-By
You can also try removing the header from within PHP itself. For example:
<?php
header_remove('X-Powered-By');
Reference:
https://httpd.apache.org/docs/current/mod/mod_headers.html#header
https://www.php.net/manual/en/function.header-remove.php
When I tried the in my localhost
The Value off didn't work for me instead Off worked for me, looks like its case sensitive
Note: Server Restart Is Necessary
Related
I have a website made on PHP version 7. My website is vulnerable to server banner grabbing. How can we solve this?
I have tried adding the following directives in Apache configuration file/etc/apache2/httpd.conf
ServerTokens Prod
ServerSignature Off
For HTTP communications, server banners are transmitted as HTTP headers. These come as name/value pairs like Server: Apache. PHP is known for adding an X-Powered-By header to each page, containing the PHP version as the value. For removing it, see
Hiding PHP's X-Powered-By header
Setting referrer on Chrome using this PHP header will set all page referrers to none/no-referrer: "Referrer-Policy" => "no-referrer"
I have a problem to set the same Referrer policy to "no-referrer" on Firefox, because seems the same PHP header doesn't work.
The solution must be in PHP, I cannot accept solution through META tags or JS.
( "Referrer-Policy" => "no-referrer" )
This should set referrer to none, empty on Firefox, but it doesn't.
On Chrome it works without any problem.
( "Referrer-Policy" => "no-referrer" )
This is not a valid PHP HTML Header.
The PHP header() functions contain a text string of "<Header>:<value>" format so;
header("Referrer-Policy: no-referrer");
This will set the header correctly, however depending on your server setup this may be ommitted if the same header has already been set elsewhere, such as in httpd.conf on Apache, or if the Header has been set elsewhere with the always keywords, such as in .htaccess on Apache.
The question is not actual for its author, but I`ll add an answer for the newest visitors:
the "Referrer-Policy" header did not work via PHP (modern virtual hosting), but it works fine if added to .htaccess file.
The syntax is:
<IfModule mod_headers.c>
Header set Referrer-Policy "same-origin"
</IfModule>
Having issues with iframes (have no control as these come with the system I have) and the cross-site stuff.
Have added the usual X-Frame-Options to my .htaccess file to include the directive to allow it to allow the iframe from this other system that wants to iframe the site. No problem at first.
<IfModule mod_headers.c>
Header always set X-Frame-Options "ALLOW-FROM https://otherhost"
</IfModule>
And I can confirm that the above is taking effect as I have messed with the header content and it is reflected.
For some reason, I keep seeing the header X-Frame-Options ALLOW-FROM https://otherhost, SAMEORIGIN with this additional SAMEORIGIN, which of course is not valid and fails within the browsers, ultimately resulting in the browser falling back to DENY, which then means the iframe is not shown.
The apache2 specs states for the set option, that;
The response header is set, replacing any previous header with this name. The value may be a format string.
Yet I do not see it replacing the string. If I curl the login page, it presents correctly, if I inspect it in the chrome/safari inspector, it shows the additional , SAMEORIGIN and then complains that it's not valid.
I've even tried using the unset option for the Header directive, but it still keeps producing this header.
Is the Header directive post or pre output? as this is driving me nuts and wasting so much time for a simple thing.
I am working on a website that is not on my own server, I do not have much (any) access to the server settings outside of the website SFTP.
The server previously ran PHP 5.21 and I used
header("X-Powered-By:");
To overwrite and remove the X-Powered-By header. This worked, but I have found that since the server was updated to PHP 5.6 that this no longer works, and the headers produced is:
X-Powered-By:
X-Powered-By: PleskLin
I didn't expect multiple lines of the same header, so I tried adding code to the page
header_remove("X-powered-by");
but the PleskLin header remains. Obviously the header is being added after PHP is processing the page, so bearing that in mind and it's a server I am really not familiar with.
Also running
header_remove();
Does not remove the X-Powered-By header but does remove other PHP set headers.
Is there a way I can remove this header within PHP?
How can I remove this header on the server, if it can't be removed by PHP (I can email the server owner and ask them to change a setting but they're not very tech' savvy in my few previous experiences with them).
I have found that setting header_remove in the PHP and (strangely) also adding an .htaccess with the following does remove all X-Powered-By headers:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule>
To explain:
Original header given out is :
x-Powered By: Plesklin
If I simply added the .htaccess removal code, the header became
X-Powered-By: PHP 5.6.1
but then combined with the on-page header_remove('X-Powered-By') this cleared all values for that particular header.
The only way you can do this is to ask the host to set expose_php to off in the php.ini file for you.
I want to add the following settings to my server:
ServerSignature Off
ServerTokens Prod
However after research I have to add these settings in my httpd.conf or apache2.conf file. It wont work in my php.ini or .htaccess on my public webroot. If I have not got access to these two server files (httpd.conf or apache2.conf) how can I get access or is there an alternative way to get these settings to work. It is a security issue I need to sort out ASAP. Thanks
No, you can't configure Apache (as these are apache settings) via php nor any other language.
You may hide these values from showing on error pages with a little of mod_rewrite that any request to your server or web application gets directed to a php script that outputs whatever error you want.
These values are also shown in the http response headers that apache sends to the browser, so maybe you can overwrite them with php via the header function, using the optional param $bool_replace = true (which is the default value):
header("Server: IIS/6.0", true); // this will fool observers
header("X-Powered-By: Feces-Throwing-Monkey 3.14", true);
edit: Judging from a comment in php's header documentation, this works, and you should also overwrite the X-Powered-By header.