To disable the nginx version, in /etc/nginx/nginx.conf add server_tokens off; in the httpsection:
# do not show the nginx version
More information about server_tokens can be found in the nginx docs.
It’s not possible to disable just the PHP version in the X-Powered-By: PHP/5.3.3 header. However, it is possible to disable the header all together. There are two ways to do that:
1) in /etc/php.ini add expose_php = Off. This will disable the PHP header everywhere.
; Miscellaneous ;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off
2) if you only want the X-Powered-By: PHP/5.3.3 header disabled for a certain host, add php_flag[expose_php] = off to the appropriate conf file in /etc/php-fpm.d/.
php_flag[expose_php] = off
More information about expose_php can be found in the PHP manual.
With both headers sanitized, the HTTP Response Headers now look like this:
$ curl –I http://test.local
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2014 09:04:00 GMT
Content–Type: text/html; charset=UTF–8
No more headers giving away the versions of both nginx and PHP.