How to remove nginx & PHP versions from HTTP Header

Server Norckon 309℃ 0评论

php-flat-logo

INTRODUCE

Unless disabled both nginx and PHP give away their version in the HTTP Header. Here is what that looks like:

$ curl -I http://test.local
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 11 Apr 2014 08:20:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
...

For security purposes it’s not a bad idea to prevent those versions from being shown. Mind you, security through obscurity is no real security. Having said that, here’s how to do it.

HOW TO DO

To disable the nginx version, in /etc/nginx/nginx.conf add server_tokens off; in the http section:

http {

    # do not show the nginx version
    server_tokens   off;

}

More information about server_tokens can be found in the nginx docs.

It’s not possible to disable just the PHP version in the X-Powered-By: PHP/5.3.3 header. However, it is possible to disable the header all together. There are two ways to do that:

1) in /etc/php.ini add expose_php = Off. This will disable the PHP header everywhere.

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://www.php.net/manual/en/ini.core.php#ini.expose-php
expose_php = Off

2) if you only want the X-Powered-By: PHP/5.3.3 header disabled for a certain host, add php_flag[expose_php] = off to the appropriate conf file in /etc/php-fpm.d/.

[my-host-pool]
...
php_flag[expose_php] = off
...

More information about expose_php can be found in the PHP manual.

With both headers sanitized, the HTTP Response Headers now look like this:

$ curl -I http://test.local
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Apr 2014 09:04:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
...

No more headers giving away the versions of both nginx and PHP.

REFERENCE

喜欢 (0)
COMMENT
Cancel Comment
EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website