I am working on a website that is not on my own server, I do not have much (any) access to the server settings outside of the website SFTP.
The server previously ran PHP 5.21 and I used
header("X-Powered-By:");
To overwrite and remove the X-Powered-By header. This worked, but I have found that since the server was updated to PHP 5.6 that this no longer works, and the headers produced is:
X-Powered-By:
X-Powered-By: PleskLin
I didn't expect multiple lines of the same header, so I tried adding code to the page
header_remove("X-powered-by");
but the PleskLin header remains. Obviously the header is being added after PHP is processing the page, so bearing that in mind and it's a server I am really not familiar with.
Also running
header_remove();
Does not remove the X-Powered-By header but does remove other PHP set headers.
Is there a way I can remove this header within PHP?
How can I remove this header on the server, if it can't be removed by PHP (I can email the server owner and ask them to change a setting but they're not very tech' savvy in my few previous experiences with them).
I have found that setting header_remove in the PHP and (strangely) also adding an .htaccess with the following does remove all X-Powered-By headers:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule>
To explain:
Original header given out is :
x-Powered By: Plesklin
If I simply added the .htaccess removal code, the header became
X-Powered-By: PHP 5.6.1
but then combined with the on-page header_remove('X-Powered-By') this cleared all values for that particular header.
The only way you can do this is to ask the host to set expose_php to off in the php.ini file for you.
Related
I have a website made on PHP version 7. My website is vulnerable to server banner grabbing. How can we solve this?
I have tried adding the following directives in Apache configuration file/etc/apache2/httpd.conf
ServerTokens Prod
ServerSignature Off
For HTTP communications, server banners are transmitted as HTTP headers. These come as name/value pairs like Server: Apache. PHP is known for adding an X-Powered-By header to each page, containing the PHP version as the value. For removing it, see
Hiding PHP's X-Powered-By header
I want to hide my php version in response headers and for that I changed expose_php to off but it does not work
and I added Header unset X-Powered-By to my htaccess file but in did not work either
can you guide me for that?
and I added Header unset X-Powered-By to my htaccess file but in did not work either
Depending on which group the X-Powered-By header has been set, you may need to use the always condition (instead of the default onsuccess). For example:
Header always unset X-Powered-By
You can also try removing the header from within PHP itself. For example:
<?php
header_remove('X-Powered-By');
Reference:
https://httpd.apache.org/docs/current/mod/mod_headers.html#header
https://www.php.net/manual/en/function.header-remove.php
When I tried the in my localhost
The Value off didn't work for me instead Off worked for me, looks like its case sensitive
Note: Server Restart Is Necessary
Having issues with iframes (have no control as these come with the system I have) and the cross-site stuff.
Have added the usual X-Frame-Options to my .htaccess file to include the directive to allow it to allow the iframe from this other system that wants to iframe the site. No problem at first.
<IfModule mod_headers.c>
Header always set X-Frame-Options "ALLOW-FROM https://otherhost"
</IfModule>
And I can confirm that the above is taking effect as I have messed with the header content and it is reflected.
For some reason, I keep seeing the header X-Frame-Options ALLOW-FROM https://otherhost, SAMEORIGIN with this additional SAMEORIGIN, which of course is not valid and fails within the browsers, ultimately resulting in the browser falling back to DENY, which then means the iframe is not shown.
The apache2 specs states for the set option, that;
The response header is set, replacing any previous header with this name. The value may be a format string.
Yet I do not see it replacing the string. If I curl the login page, it presents correctly, if I inspect it in the chrome/safari inspector, it shows the additional , SAMEORIGIN and then complains that it's not valid.
I've even tried using the unset option for the Header directive, but it still keeps producing this header.
Is the Header directive post or pre output? as this is driving me nuts and wasting so much time for a simple thing.
I have built a widget using the Fat-Free Framework for a client that should make their life easier, but they also requested that their website is created using Wix. I thought it would be easy to embed this F3 site within the Wix site using their embedding plugins (there are built-in and plug-in versions).
The problem is that regardless of the answers I have received so far on SO and other sites, I still get an X-Frame-Options is set to SAMEORIGIN error. I have tried the following:
header_remove() php command
header('X-Frame-Options: GOFORIT') php command (GOFORIT is for anything but SAMEORIGIN and DENY)
adding &output=embed to the link (this didn't work with F3)
adding the following htaccess code:
Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://editor.wix.com"
Header set Access-Control-Allow-Origin: "http://www.wix.com"
I am afraid that the Wix embed plug-in will be a bit limited and I won't be able to change much on that end. Any ideas what to try next? Is there some configuration for F3 that will help this problem or am I using the PHP code wrong? Does anything need to be configured on the Wix site? Thanks for any help.
Try to set the XFRAME option for the framework:
$f3->set('XFRAME','GOFORIT');
https://github.com/bcosca/fatfree-core/blob/master/base.php#L2153
I didn't look into my .htaccess file. There was the line Header append X-FRAME-OPTIONS "SAMEORIGIN" in there along with some allows for Wix. Simply removing the append line allowed it to be embed.
Is this by design?
On my Debian (Etch) server I noticed that Apache (2.2) will not send a Last-Modified header when serving PHP (mod_5.2.0) files (we're talking plain-jane echo 'Hello World'; PHP files).
Additionally, I noticed that the header Accept-Ranges is also not served by Apache for PHP files, although my main conern for the moment is the Last-Modified header.
PHP are dynamic page that can change. So Apache can't know the Last-Modified header.
You can add your own header with:
header('Last-Modified: GMT time');
Of course if you need this header maybe you are looking to manage the request header If-Modified-Since too.
You can find it in $_SERVER['HTTP_IF_MODIFIED_SINCE']
it only sends this with static files. php files aren't static.
but you can send them yourself, see http://www.php.net/manual/en/function.getlastmod.php#30514 for an example.