PHP (Hypertest Preprocessor) is a server-side HTML embedded scripting language that is very popular for web development. When PHP is running on a web server, each and every request to the web server will return the following line of header with PHP version information to the browser.

X-Powered-By: PHP/[version]
The X-Powered-By header info is controlled by expose_php core php.ini directive. expose_php determines whether web server will report that PHP is being used to process the request, and what version of PHP is installed to every request. expose_php is enabled by default, so the information is sent on each HTTP and HTTPS request.

While PHP is generally reliable and secure, older and outdated versions of PHP may contain security holes and bugs. Although there is no problem leaving PHP version info exposed, and enable expose_php is not classified as security risk, but malicious hackers looking for potentially vulnerable targets can use PHP version installed on a web server to identify a weakness. By turning off expose_php, the existence and version of PHP is hidden, and help lower threat to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets. Although websites not using SEO-optimized URL structures may still potentially been seen by human as running PHP from link location (e.g. index.php?variable=value), but bots and automated scripts from novice attackers may be fooled.

So it’s recommended disable and turn expose_php off. Webmasters can disable expose_php in the php.ini file, usually located in /etc, /usr/lib, /usr/local/lib or /usr/local/lib/php/:

; Disable expose_php for security reasons
expose_php = Off

Tip: Setting expose_php to Off in php.ini does not prevent or stop php_info() function from executing.

Related Posts