Here's a relatively quick tip you can use to harden the security of your LAMP stack.
In a default Apache/PHP configuration, PHP likes to insert its own HTTP header advertising the fact that you are using PHP on your server. The "X-Powered-By" response header displays the version of PHP you are running, and in some cases, even the PHP patch level. This can be troublesome, because intelligent hackers often look for this information in your response headers as a way to verify the version of PHP you are using. For example, if a hacker discovers you are running PHP 4, there is a possibility that they will attempt to exploit known PHP 4 vulnerabilities.
Luckily, you can set the expose_php variable to "Off" in your global php.ini configuration file to hide this "X-Powered-By" header. Depending on your distro, php.ini is usually found at /etc/php.ini or /etc/php5/apache2/php.ini. Here's a snapshot of my php.ini file, showing the expose_php config variable set to Off:
Using HttpFox, an HTTP header analyzer extension for Firefox, I verified that PHP is no longer adding the "X-Powered-By" header to my responses (click for larger view):
If you enjoyed this tip, you might also enjoy my post on HOWTO: Hide your Apache Server Version in Your HTTP Response Headers.
In a default Apache/PHP configuration, PHP likes to insert its own HTTP header advertising the fact that you are using PHP on your server. The "X-Powered-By" response header displays the version of PHP you are running, and in some cases, even the PHP patch level. This can be troublesome, because intelligent hackers often look for this information in your response headers as a way to verify the version of PHP you are using. For example, if a hacker discovers you are running PHP 4, there is a possibility that they will attempt to exploit known PHP 4 vulnerabilities.
Luckily, you can set the expose_php variable to "Off" in your global php.ini configuration file to hide this "X-Powered-By" header. Depending on your distro, php.ini is usually found at /etc/php.ini or /etc/php5/apache2/php.ini. Here's a snapshot of my php.ini file, showing the expose_php config variable set to Off:
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off
Using HttpFox, an HTTP header analyzer extension for Firefox, I verified that PHP is no longer adding the "X-Powered-By" header to my responses (click for larger view):
If you enjoyed this tip, you might also enjoy my post on HOWTO: Hide your Apache Server Version in Your HTTP Response Headers.
The PHP documentation I've read, claims expose_php "decides whether PHP may expose the fact that it is installed on the server (e.g. by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not."
I'm not sure what the PHP folks mean by "it is no security threat in any way." If a hacker knows what version of PHP you are running, this information helps them narrow down which vulnerabilities they can try to exploit. For the security minded administrator, or security expert, this is definitely a security threat.
Anyways, enjoy!
Did you find this post helpful, or at least, interesting?