How to remove nginx & PHP versions from HTTP Header

GIT – Unless disabled both nginx and PHP give away their version in the HTTP Header. Here is what that looks like:

For purposes it’s not a bad idea to prevent those versions from being shown. Mind you, through obscurity is no real . Having said that, here’s how to do it.

To the nginx version, in /etc/nginx/nginx.conf add server_tokens off; in the httpsection:

More information about server_tokens can be found in the nginx docs.

It’s not possible to disable just the PHP version in the X-Powered-By: PHP/5.3.3 header. However, it is possible to disable the header all together. There are two ways to do that:

1) in /etc/php.ini add expose_php = Off. This will disable the PHP header everywhere.

2) if you only want the X-Powered-By: PHP/5.3.3 header disabled for a certain host, add php_flag[expose_php] = off to the appropriate conf file in /etc/php-fpm.d/.

More information about expose_php can be found in the PHP manual.

With both headers sanitized, the HTTP Response Headers now look like this:

No more headers giving away the versions of both nginx and PHP.

Print Friendly, PDF & Email



Bài viết liên quan

Be the first to comment

Để lại lời nhắn