Security is not only about keeping your Operating System, softwares, firmwares etc updated and firewalled. Its also about keeping some essential information secret from the outer world. If you are wondering why would you ever want to hide the PHP version number or lets say the server you are running your application on from the guys outside, read on further.
As a web application performance and optimization consultant, i have seen that most of the webservers and application softwares like the CMS software are usually not updated to the latest version. The older versions running on these systems can cause potential risk to the whole system. Hackers and script kiddies are often looking for this information in order to either exploit or fully compromise the system. Therefore, its always in your best interest to protect the version information of your software from getting revealed outside ( just in case there is a existing flaw and script kiddies who recently learnt a new trick are looking for fresh meat)
Though PHP is generally regarded as a reliable and secure platform, older versions of PHP are known to have contain security holes. So if you are running an older version of PHP, this article will help you get some degree of safety from reconnaissance attacks.
By default, webserver outputs the version of the PHP platform in a special HTTP Response Header called X-Powered-By. (e.g. X-Powered-By: PHP/5.2.9).This value is outputted in the response header because of a setting called expose_php in php.ini configuration file.
Image:Sample HTTP Response header containing X-Powered-By header with PHP Version Information.
In order to set the value of expose_php to off, navigate to your php.ini file and set the value to “off” for expose_php
expose_php=off
Setting expose_php to off doesn’t ensure you a completely secure system but it does give you some level of protection from script kiddies and bots looking out for information of their choice.
Narasimha Raju. Naidu
India
No comments:
Post a Comment