Version Disclosure (PHP)

Description

The web server is configured to send the X-Powered-By HTTP response header, which discloses the specific version of PHP running on the server. This header is automatically added by PHP's default configuration and provides unnecessary technical information about the server environment to any client making HTTP requests.

Remediation

Disable PHP version disclosure by modifying the PHP configuration. The recommended approach depends on your server setup:

Method 1: Modify php.ini (Preferred)
Locate your php.ini file and set the expose_php directive to Off:

expose_php = Off

After making this change, restart your web server to apply the configuration.

Method 2: Remove Header Programmatically
If you cannot modify php.ini, remove the header in your application code or in a common bootstrap file:

header_remove('X-Powered-By');

Method 3: Web Server Configuration
Configure your web server (Apache, Nginx, etc.) to strip or override the X-Powered-By header. For Apache with mod_headers enabled:

Header unset X-Powered-By

For Nginx:

fastcgi_hide_header X-Powered-By;

After implementing any of these methods, verify the header is no longer present by inspecting HTTP responses using browser developer tools or command-line tools like curl.

References

Related Vulnerabilities