It’s not that I have anything against advertising. Perfectly acceptable when it comes to automobiles, boats or family vacations. But I do think the “X-Powered-By” tag is where the line needs to be drawn.
So let’s say you’ve done your due diligence and implemented a policy on your Internet web tier requiring ServerTokens to be set to “Prod” and ServerSignature to “Off”. Then you go and do a quick scan of some of your sites using LiveHTTPHeaders and you see crap like this:
Date: Thu, 26 Jan 2012 04:19:04 GMT Server: Apache X-Powered-By: PHP/5.3.9 Cache-Control: max-age=172800 Expires: Sat, 28 Jan 2012 04:19:04 GMT Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 2547 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: image/gif
Yeah, just what you need. Like the world needs to know you’re running PHP in the background and exactly what version it is!.
This is easily fixed. All you have to do is set
expose_php = Off
in /etc/php.ini, restart httpd, and it disappears.
But the question remains: why is this the default?
Think of it, thousands of web sites making it just that much easier for the bad guys to hack them by this kind of advertising. And for what? To satisfy the egos of a few company executives and developers?
You really can’t make this stuff up.