Hiding Unnecessary Response Headers Apache/PHP
One way to help protect your website/server is to not tell everyone what platform and app versions everything is running on. If you were to request a php file from my site you see some response headers that could be useful to people looking to break in, cause havoc etc…
Here is my request to aknosis.com (I’m viewing all of this in Firebug, if you don’t have it get it, best web development tool in my arsenal)
| Date | Wed, 14 Oct 2009 05:59:59 GMT |
| Server | Apache/2.2.3 (CentOS) PHP/5.2.9 mod_ssl/2.2.3 OpenSSL/0.9.8b |
| X-Powered-By | PHP/5.2.9 |
| X-Pingback | http://www.aknosis.com/akwp/xmlrpc.php |
| Expires | Wed, 11 Jan 1984 05:00:00 GMT |
| Last-Modified | Wed, 14 Oct 2009 06:00:00 GMT |
| Cache-Control | no-cache, must-revalidate, max-age=0 |
| Pragma | no-cache |
| Vary | Accept-Encoding,User-Agent |
| Content-Encoding | gzip |
| Content-Length | 10636 |
| Keep-Alive | timeout=2, max=100 |
| Connection | Keep-Alive |
| Content-Type | text/html; charset=UTF-8 |
So if I was running a known insecure version of php, apache, or any other out of date software exposed in the response headers, an attacker has to look no further to determine what you are using and how best to attack you.
Apache
First place to look is your httpd.conf, these are settings you want:
ServerTokens Directive
ServerTokens Prod
Tells Apache to just output the product only, version information as well as modules are hidden. After changing this directive the Server response header is:
Server: Apache
ServerSignature Directive
ServerSignature Off
Any pages generated by Apache contain a small signature at the bottom with server information, setting this to off will suppress that additional info that no one needs.
PHP
Now to get rid of that pesky X-Powered-By header added by php, this is done in your php.ini file.
; Misc ; ; Decides whether PHP may expose the fact that it is installed ; on the server (e.g. by adding its signature to the Web ; server header). It is no security threat in any way, but it ; makes it possible to determine whether you use PHP on your ; server or not. expose_php = On
I think telling everyone what language you are using and the version is just a bad idea, yes you can figure this out by other methods (like what software is running… WordPress anyone? heh) but I see no good reason to leave this on. What’s worse is that it is ON by default (at least in my CentOS RPM). So turn that bad boy off.
expose_php = Off
Don’t forget to reboot! (Let be nice to any current surfers a la `service httpd graceful`)
Now a response from aknosis.com is much cleaner and ‘safer’:
| Date | Wed, 14 Oct 2009 06:04:21 GMT |
| Server | Apache |
| X-Pingback | http://www.aknosis.com/akwp/xmlrpc.php |
| Expires | Wed, 11 Jan 1984 05:00:00 GMT |
| Last-Modified | Wed, 14 Oct 2009 06:04:21 GMT |
| Cache-Control | no-cache, must-revalidate, max-age=0 |
| Pragma | no-cache |
| Vary | Accept-Encoding,User-Agent |
| Content-Encoding | gzip |
| Content-Length | 10636 |
| Keep-Alive | timeout=2, max=100 |
| Connection | Keep-Alive |
| Content-Type | text/html; charset=UTF-8 |
So there you have it, two simple file edits and a server reboot and you are one step ahead in the battle for a secure web environment.
Don’t have access to httpd.conf? You can’t change the ServerTokens value in .htaccess but you can change the ServerSignature in .htaccess.
Don’t have access to php.ini? This is only settable inside php.ini 
However, I do think it is perfectly valid to submit a request to change these if you are using a paid webhost, so go right ahead and do so!
Aknosis
Paul Giberson (Aknosis) is an über techie, web development freak, husband and father of 1 (with twins on the way!!). He plays with PHP / MySQL / JavaScript / jQuery and LAMP stacks often. Catch his tweets at @aknosis.
Pingback: Hiding Unnecessary Response Headers Apache/PHP » Aknosis.com : FRIENDDAT BLOG