I am using PHP 5.6.xx and Nginx server on an Apline Linux server. I want to hide ‘X-Powered-By: PHP/5.6.32’ or ‘x-powered-by: PHP/7.3.6’ HTTP header. How can I hide PHP version when using Nginx along with PHP-fpm5 or PHP-fpm7?
By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.
Let us see how to hide PHP version on a Linux or Unix-like system.
How to find out PHP version using the CLI
You need to use the curl command as follows:curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://server1.cyberciti.biz/
Sample outputs:
HTTP/2 200 server: nginx
date: Sun, 23 Jun 2019 20:48:48 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.3.6
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-robots-tag: noindex, noarchive
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-whome: l-cbz01
referrer-policy: no-referrer-when-downgrade Hiding your PHP version
You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version. Here is a quick list:
- Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini
- Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini
- Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini
- RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini
You can always find php directory location using php* and grep command:$ php -i | more
$ php -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm5 -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'
Sample outputs (look for directory name that stores all .ini files):
Configuration File (php.ini) Path => /etc/php/7.0/fpm Loaded Configuration File => /etc/php/7.0/fpm/php.ini Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini, /etc/php/7.0/fpm/conf.d/10-opcache.ini, /etc/php/7.0/fpm/conf.d/10-pdo.ini, |
Add the following line to custom.ini as per your setup:
############################################## ## this is for Alpine Linux and PHP v5.6.xx ## ############################################## echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini |
For Alpine Linux and PHP 7.x:
echo 'expose_php = off' >> /etc/php7/conf.d/custom.ini |
Restart/reload PHP
The syntax depends upon your PHP version:### [ Alpine linux restart php-fpm ] ##
$ sudo /etc/init.d/php-fpm restart
### [ RHEL/CentOS 5.x/6.x restart php-fpm ] ##
$ sudo service php-fpm restart
### [ RHEL/CentOS 7.x restart php-fpm ] ##
$ sudo systemctl restart php-fpm
### [ Debian/Ubuntu Linux latest restart php-fpm ] ##
$sudo service php7.0-fpm restart
### [ FreeBSD restart php-fpm ] ##
$ sudo service php-fpm restart
### [ Alpine Linux restart php-fpm7 ] ##
$ sudo /etc/init.d/php-fpm7 restart
Verification
Use the curl command again:$ curl -IL https://some-server-ip-OR-domain-name/
$ curl -IL https://server1.cyberciti.biz/
Sample outputs:
HTTP/2 200 server: nginx date: Sun, 23 Jun 2019 20:56:01 GMT content-type: text/html; charset=UTF-8 set-cookie: PHPSESSID=q49sd1armm17j7a8l658538n74; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache x-robots-tag: noindex, noarchive strict-transport-security: max-age=15768000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-whome: l-cbz01 referrer-policy: no-referrer-when-downgrade
You can also use the nmap command as follows:sudo nmap -sV --script=http-php-version server-ip-here
sudo nmap -sV --script=http-php-version server1.cyberciti.biz
Sample outputs:
[sudo] password for vivek: Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-24 02:26 IST Nmap scan report for newsletter.cyberciti.biz (96.126.119.5) Host is up (0.26s latency). rDNS record for 96.126.119.5: nb-96-126-119-5.dallas.nodebalancer.linode.com Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-server-header: nginx 443/tcp open ssl/http nginx |_http-server-header: nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.20 seconds |
A warning about hiding PHP version
This technique falls under Security Through Obscurity. Even if nobody outside of your org allowed to find out anything about PHP version, an attacker can still guess or find your PHP version using other methods such as fingerprinting. I strongly suggest that you apply PHP/Nginx/Apache patches on time and write secure code. Updating PHP is pretty simple as per your Linux/Unix variant:
Update PHP and other apps on an Ubuntu/Debian Linux
Type the following apt command/apt-get command:$ sudo apt update
$ sudo apt upgrade
Update PHP and other apps on a RHEL/CentOS/Fedora Linux
Type the following yum command:$ sudo yum update
Update PHP and other apps on an Alpine Linux
Type the following apk command:# apk update && apk upgrade
See also
