How to Remove x-powered-by in Apache/PHP

Last updated on June 26th, 2024 at 06:25 am

By default, every website running on Apache server contains X-Powered-By response header. Often website administrators need to hide x-powered-by in Apache/PHP server to protect your web server’s identity and prevent malicious attackers from exploiting its security vulnerabilities. In this article, we will look at how to remove x-powered-by in Apache/PHP.

What is Server Signature

By default, every server displays something called as server signature. This is true for all major web servers such as Apache and NGINX. It contains information about server name, its version and other information. It can also contain information about other software technology that is powering your website. This server signature is present as X-Powered-By response header sent by the server for every response received from your website.

Why Remove x-powered-by in Apache

X-Powered-By response header can also contain sensitive information about your technology stack that can be exploited by attackers and bots. For example, it contains information about server name and version, and also your software backend such as PHP and its version. Using this information, attackers can easily exploit vulnerabilities associated with a specific Apache or PHP version. Therefore, it is important to remove this header on production systems. Please note, this information is present even if the requested URL does not exist on your website and the server returns ‘404:Page not found’ response.

How to Remove x-powered-by in Apache/PHP

There are multiple ways to remove x-powered-by in Apache/PHP. We will look at each of them one by one.

1. Using php.ini

If you have access to php.ini file (PHP configuration) file, typically found at /etc/php.ini or /etc/php5/apache2/php.ini depending on your Linux distribution, then open terminal and run the following command to view php.ini in a text editor.

$ sudo vi /etc/php.ini

Find the following line.

expose_php = on

Change it to the following, to hide x-powered-by header.

expose_php = off

Save and close the file.

Restart Apache server to apply changes.

$ sudo service apache2 restart

Please note, the above setting will disable x-powered-by for all web pages on your website, at one go.

2. Using Apache header directive

You can also use Apache’s mod_headers module to reset specific headers. It allows you to set or reset response headers as per your requirement. Depending on your Linux system, you can enable mod_headers using the following steps.

Ubuntu/Debian

Open terminal and run the following command to enable mod_headers.

$ sudo a2enmod headers

RHEL/Fedora/CentOS

mod_headers module is already enabled in RHEL/Fedora/CentOS systems.

Once you have enabled this module, you can add the following line in Apache server configuration, Virtual Host, or .htaccess file. You can place it anywhere in these files or in a specific Directory tag as per your requirement.

Header unset X-Powered-By

Restart Apache server to apply changes.

$ sudo service apache2 restart

3. Using PHP code

If you don’t have access to php.ini, just add the following to your PHP response, to remove or overwrite the x-powered-by header before sending it to the client.

The following function will remove x-powered-by header on the page where this code is placed.

<?php header_remove("X-Powered-By"); ?>

The following function will replace the x-powered-by header value ‘ABC’, instead of removing it. You can change it as per your requirement.

<?php header("X-Powered-By: ABC"); ?>

Please note, the above code will only remove x-powered-by header from the page on which it is placed. So you need to place it on all pages of your web site, or template pages so that they are inherited by all child pages. In this method, if you do not place this code on any page, then attackers can figure out your technology by simply requesting that page. They can even get this information by requesting a page that does not exist. So this method is not entirely foolproof.

As you can see it is easy to remove x-powered-by header in Apache/PHP.

Conclusion

In this article, we have learnt a couple of simple ways to easily turn off x-powered-by response header on Apache web server. As mentioned earlier, it is important to disable server signature on Apache server. Otherwise, malicious attackers and bots will use it to figure out the technology stack of your website and then use it to exploit its vulnerabilities. This is especially true if you are using an old version of Apache/PHP on your server. Among the solutions discussed above, we recommend you to set expose_php directive in php.ini or Header directive in Apache configuration/.htaccess file. This is because it is a site-wide setting that works on all pages. Using header_remove() or header() php functions will only apply the change on that page and not other pages.

Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!

Also read
How to Disable HTTP OPTIONS methods in Apache
How to enable mod_rewrite in XAMPP, WAMP
How to Set Default Charset to UTF8 encoding in Apache