X-Powered-By: PHP

It’s not that I have anything against advertising. Perfectly acceptable when it comes to automobiles, boats or family vacations. But I do think the “X-Powered-By” tag is where the line needs to be drawn.


So let’s say you’ve done your due diligence and implemented a policy on your Internet web tier requiring ServerTokens to be set to “Prod” and ServerSignature to “Off”. Then you go and do a quick scan of some of your sites using LiveHTTPHeaders and you see crap like this:

Date: Thu, 26 Jan 2012 04:19:04 GMT
Server: Apache
X-Powered-By: PHP/5.3.9
Cache-Control: max-age=172800
Expires: Sat, 28 Jan 2012 04:19:04 GMT
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 2547
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: image/gif

Yeah, just what you need. Like the world needs to know you’re running PHP in the background and exactly what version it is!.

This is easily fixed. All you have to do is set

expose_php = Off

in /etc/php.ini, restart httpd, and it disappears.

But the question remains: why is this the default?

Think of it, thousands of web sites making it just that much easier for the bad guys to hack them by this kind of advertising. And for what? To satisfy the egos of a few company executives and developers?

You really can’t make this stuff up.