How to disable versions expose in PHP and webservers (nginx, Apache)

By default PHP exposes it’s version:

curl -vi localhost
< HTTP/1.1 200 OK
< Server: nginx/1.0.15
< Date: Fri, 01 Feb 2013 23:19:48 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=64
< X-Powered-By: PHP/5.4.8

As you can see just by running GET requst you are able to get nginx and PHP version on the server:

Server: nginx/1.0.15
X-Powered-By: PHP/5.4.8

To disable it modify your /etc/php.ini file:

expose_php = Off

As well as nginx’ http section:

server_tokens off;

And if you use Apache:

ServerTokens Prod


Leave a Reply

Your email address will not be published. Required fields are marked *