When I try to use this code:
header('X-Powered-By: ASP.NET');
header('Server: Microsoft-IIS/7.5');
the headers that have sent are:
Server:Apache/2.2.22 (Win64) PHP/5.4.3
X-Powered-By:ASP.NET
What do I need to do?
Your Server header is being replaced by apache2.
The solution may be to completly disable sending Server header by web server. In fact apache (and most of web servers) does not allow you to completly disable server signature.
You can find some useful information here: Removing http headers in Apache2
Related
Is there an Apache or Php setting that would change a header returned by getallheaders() from Capitalized to lowercase?
On my localhost it receives an Authorization header but the same code returns authorization on the server. and the same client(Postman) is being used in both cases
As per the HTTP/1.1 spec Field names are case-insensitive.
https://www.ietf.org/rfc/rfc2616.txt
I'm seeing these two headers in my response header of an AJAX call. Need to know more about this and what is the meaning of this header? Is this implies to caching of data from server?
X-Cache:MISS from localhost
X-Cache-Lookup:MISS from localhost:3128
I'd like to remove the following headers:
Connection: Keep-Alive
Server: Apache/2.2.13 (Win32)
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=66
I don't think this can be done properly in PHP, as these headers are set by Apache.
There is PHP 5.3's header_remove() but that can remove only headers set by PHP (If I understand correctly). You could also overwrite the undesired headers by sending them again with empty values, but the original values will be sent anyway.
The best thing would be to fix this at the root, in Apache's configuration. For example, the ServerTokens directive can change the "Server:" header.
Related: apache_response_headers()
You could turn your script into a non-parsed-header CGI. For that you have to rename your example.php script into nph-script.cgi, make it executable (+x) and add the shebang:
#!/usr/bin/php-cgi
<?php
This requires you to send ALL http headers yourself however, including the HTTP/1.0 200 OK status line. (see rfc2616 php.ini config)
Oh, and actually I have no clue if this still works for current Apache versions.
Using PHP (or any other server site language) and sending the header Connection: close. This will cause Apache to omit the Keep-Alive header, since the connection is no longer keepalive. e.g.
header('Connection: close');
Not sure if it works same on all types of servers, suggestions welcome.
Read More here
I am running a test server locally that is also broadcasted (for education purposes) on a Mac. I ran a software called acunetix from another computer and it was able to detect the technologies used on the server.
How can I prevent others from viewing the technology my server is running?
Here is one thing you can do to hide the Apache, PHP and OS version information.
Before:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:20:30 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
X-Powered-By: PHP/5.2.3-1ubuntu6.4
Connection: close
Content-Type: text/html; charset=UTF-8
After:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 13:06:21 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8
Also, make sure that you have custom error pages so that they don't reveal information about Apache and PHP.
1)Using mod_security you can change your ServerSignature to somthing compeltely different like this:
SecServerSignature "Microsoft IIS"
Without mod_security, your http header will still say "Apache".
2)Even if you don't have a .php extension you can see if the file is a PHP file by doing this:
http://digg.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
This url will display::
To stop this image hack and other issues, make sure this is set in your php.ini:
expose_php=Off
Also make sure:
display_errors=off
and:
session.name=session_id
3)For more fingerprinting try nmap -sV yourdomain.com, often times ssh will leak detailed information like what Linux distro you are running. I recommended disabling what you can and hiding the rest with port knocking.
Iptables for linux, or use .htaccess file in www-root-dir
Order Deny,Allow
Deny from all
Allow from local.
Allow from 167.0.2.1, 167.0.2.2
or settings in httpd.conf
We all know that HTTP uses port 80, what if i put my server's ip and the port 80 in the browser's proxy setting, will the browser sends the HTTP requests to my index.php which will fetch the website from server side and return response headers and body?
Thanks
Assuming you have Apache or such listening on port 80, your requests will be sent to the server on that port. You should probably enable mod_rewrite and redirect every incoming request into index.php, otherwise the server will look for the requested filename and return a 404. Then you should use cURL inside index.php and echo the raw results, headers included.
The performance of the whole thing may well be less than stellar, I think.
If you're on Apache, there's no point in using a PHP script as a proxy - Apache has a perfectly good proxy (mod_proxy) module already, which would also eliminate the overhead (and problems) of running everything through PHP.