Expose to the world that PHP is installed on the server. Or not!

Expose to the world that PHP is installed on the server. Or not!

Recently my colleague asked me do I know what will happen if you type in URL “?=PHPE9568F34-D428-11d2-A769-00AA001ACF42“. I forgot about that and I didn’t know the answer instantly. Probably in time of learning PHP and related stuff I’ve noticed that query param and I didn’t know what consequences it could exploit. Maybe in that time I said… OK you can see PHP logo but who cares!? But recently when I saw that and when I looked once again HTTP header I saw what security issue could be if you echo to the world your PHP version (X-Powered-By:) and server header info (Server:). Probably all of you saw some “hacker websites” where you can find exploits for various CMS/Frameworks with their versions and platforms on which exploits could be accomplish. So probably you can now guess in which direction this post will go.

For more info about expose_php take a look this link.

Okay. So we have 2 HTTP headers: “X-Powered-By” and “Server” which I want to mention here.

Let’s see php.net website:

So from the image above we can see version of PHP and Apache. Now if we know that there is some bug on those version probably we will be able to hack php.net. Notice that php.net has the most latest and stable version of PHP. Do you have the same? Probably not. If you’re running PHP 5.3.5 please take a look ChangeLog on php.net for PHP version 5.3.6 and see how many bug-fixes developers behind the PHP have done! If you’re not always up to date with all of your software on your server you should hide your PHP and Server version from the world.

So how to hide your PHP version and perhaps Apache version from the world. First visit your website (http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42) and look into the header info. If you see those values for PHP and Apache follow next 2 steps:

1) How to hide “X-Powered-By” value from HTTP header

In the php.ini file you can search for expose_php line and see if it’s set to On (default is On). If that’s the case then you should change “expose_php = On” to “expose_php = Off“. Restart your Apache and see header again or see your website, http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

On my local machine you can see:
a) before change

b) after changes (and restarting Apache)

2) How to “hide” “Server” value from HTTP header

In httpd.conf (Apache) file you can search for “LoadModule headers_module modules/mod_headers.so” and if it’s enabled you can add at the bottom of the file next lines:

ServerSignature Off
ServerTokens Prod
<ifmodule mod_headers.c>  
  Header unset Server  
  Header unset X-Powered-By  

After changes and restarting Apache:

Notice that we didn’t actually hide Server info, we only set Server to only Apache – without any version info.

Note. If you add only 2) without changing php.ini 1), everyone will be able to run something like this: http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 and see PHP logo.

Also, if you check Google, FB, Magento,… HTTP header for those information you’ll see that they had hide their “sensitive” info.

You made it all the way down here so you must have enjoyed this post! You may also like:

How to programmatically create customers in Magento 2.3.x Deni Pesic
Deni Pesic, | 2

How to programmatically create customers in Magento 2.3.x

90% of Magento websites are running on unsupported PHP versions. Why is this a problem and how can you (we) solve it? Aron Stanic
Aron Stanic, | 8

90% of Magento websites are running on unsupported PHP versions. Why is this a problem and how can you (we) solve it?

Using custom php.ini  file with php CLI Darko Goles
Darko Goles, | 3

Using custom php.ini file with php CLI


  1. Nice post, but in Magento’s case we have the “frontend” cookie who is trickier to hide.
    And extensions like “Builtwith” that have a large database.

    How do we trick that tools? 🙂

  2. @Björn

    I think that you can set ServerSignature via htaccess file. If you are able – DO IT through configuration file because of performance gains… If you have high traffic site you can hide as much data in headers as possible and your server will send only few headers responses and you’ll save some net traffic.

    About hiding ServerSignature via htaccess file:


    Disable the Server Signature ^
    Here we are disabling the digital signature that would otherwise identify the server:
    # disable the server signature
    ServerSignature Off
  3. Thanks Ivan for bringing this to our attention. I’ve applied the changes to some of our servers. Is there a way to set the ServerSignature even via htaccess?

  4. Thanks for the post, but for those who cannot edit php.ini on their hosting platform.

    There are four different query stings in php.

    Brings up a different logo depending on your php version.

    Brings up the logo as above in your post.


    Brings up the credits.


    Brings up the Zend Engine version logo.

    I have a part way fix which you can add to your magento .htaccess file. Which uses regex to redirect any different php type string to the forbidden page.

    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
    ## your PHP version). 
    	RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12} [NC]
    	RewriteRule .* - [F]

    Hope that helps!


  5. Interesting post.
    Security is very important subject, specially in eCommerce systems which perform money transactions.
    Developers should be aware of the security issues and distinguish between development and production environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.

Tell us about your project

Drop us a line. We'd love to know more about your project.