This post will guide you how to hide PHP version in your Linux/Apache/Mysql/PHP Web server. How do I hide PHP version information from HTTP header of your Web server. How to hide “X-Powered-By: PHP” information from Http header to avoid being attacked according to php version for your Linux web server.
Find Out PHP Version Information From HTTP Header Using Curl Command
You can easily find out the php version from http header of your web server using curl command with “-I” or “-IL“, type:
$ curl -I ServerName $ curl -IL ServerName
For example, you can get the HTTP header of a URL called mydevops.com, just type the following command:
$ curl -IL mydevops.com
Outputs:
[root@mydevops php.d]# curl -IL mydevops.com HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2019 14:27:23 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.7 Location: https://mydevops.com/ Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2019 14:27:23 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.7 Location: https://www.mydevops.com/ Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 200 OK Date: Tue, 15 Oct 2019 14:27:24 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.7 X-Powered-By: PHP/7.3.7 Link: <https://www.mydevops.com/wp-json/>; rel="https://api.w.org/" Content-Type: text/html; charset=UTF-8
From the above outputs, you would see that the php version is 7.3.7. It is not safe to expose the php version for your web server.
Hide Your PHP Version
To hide your php version from http header or your web server, and you need to edit or create a PHP configuration file named custom.ini under /etc/php*/conf.d/ or /etc/php*/php.d/ directory. You need to add the folliwng line to custom.ini file, type:
$ echo 'expose_php = off' >> custom.ini
then you need to restart php-fpm service with the following command:
$ sudo systemctl restart php-fpm
or
$ sudo /etc/init.d/php-fpm restart
Now you can re-run curl command to verify if php version is hidden in your web server, type:
$ curl -IL mydevops.com
Outputs:
[devops@mydevops ~]$ curl -IL mydevops.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Oct 2019 14:30:45 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Location: https://mydevops.com/
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Oct 2019 14:30:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Location: https://www.mydevops.com/
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2019 14:30:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Link: <https://www.mydevops.com/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
You would see that the php version has been hidden.
Conclusion
You should know that how to hide php version from HTTP header of a web server throught create or edit a file named custom.ini in your CentOS/RHEL/Ubuntu Linux.