Remove PHP Version from your server's repose header (expose_php = off)

[eec]

Last few days I was dealing with this problem, surprisingly I could not find any threads on any of the PS forums. Now that I have resolved the issue I decided to share this matter with others.

 

Problem was that our PS used to expose its version. That is how it works servers in their response header normally will share some of their configurations with the world. there are good reasons for most of the information being shared, while some pieces are better kept private. Such as the version of server application e.g. Apache or the version of the PHP compiler.

 

Argument is that these information will add vulnerability and might invite troubles, a specific version of Apache or PHP might be discovered to be vulnerable to a certain attack and by your advertising its version basically it motivates interested people to try their skills which is something administrators are not happy about.

 

So it is best to keep these information secret, and there are easy ways to do so, check your Hosting company's documentation normally simply form the Web hosting management portal you should be able to configure these, for the reference these work as follows on Apache and PHP:

 

Apache setting (httpd.ini): 

 

ServerTokens ProductOnly
ServerSignature Off

 

PHP settings (php.ini)

expose_PHP = Off;

 

Set these on your server instance to fix configurations. In my case I have had done these at the time of installation of the website, and assumed that it should not be providing version specific information, but few days ago I noticed that PS still puts the PHP version information in the response header it looks something like this:

 

X-Powered-By ...

 

All the settings on server and management portals were ok, but still this was being placed in the response header only on the sub-domain of our PS. Lastly I noticed that there is a php.ini file in the root folder of PS installation I do not really know how it works but apparently it is being appended to the system's php config, and placing below line in this PHP.ini finally resolved the matter.

 

expose_php = Off;

 

hope this can save other people's time as it took me half an hour to figure it out. And if anybody knows why and how PS overwrites the server's php configurations it would be nice to share it here.

 

Good Luck to all.

 

P.S. response headers can be easily seen for example in chrome browser's developers tool, check google's documentation if you are not familiar with how to see those messages.

[sandipchandela]

Its helpful for one who having issue with hosting.

Appreciate your effort.

Thanks so much.