How to remove PHP X-Powered-By & Nginx Version

While I’m auditing my website’s security with curl command to view HTTP Response Header. I see that nginx gives out quite some server’s info which should be hidden for security reason.

You can view your HTTP Response Header with curl command

$ curl -I http://domain.com/

This is the output from one of my Nginx web server

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Fri, 09 May 2014 05:19:45 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.5.12

Those information is available to the public if someone want to view it. I’m going to show you how to hide Nginx’s version and X-Powered-By (PHP’s version)

To remove X-Powered-By (PHP’s version)

Generally PHP’s configuration file ( php.ini ) should be located in /etc/ directory, to remove X-Powered-By you have to edit php.ini file

# nano /etc/php.ini

Search for expose_php, by default expose_php is On to display PHP version within the HTTP header.

expose_php = On

To remove X-Powered-By, turn expose_php off

expose_php = Off

Save php.ini file and restart Apache or php-fpm whatever you are running.
To restart Apache on CentOS/RedHat/Fedora

# service httpd restart

To restart Apache on Debian/Ubuntu/Linux Mint

# service apache2 restart

To restart php-fpm if you are running php-fpm with Nginx

# service php-fpm restart

To remove Nginx Version

Nginx will give out its version in HTTP response header and nginx default error pages. For security reason we will also need to hide Nginx version. To hide Nginx version, we need to change server_tokens parameter from on (it’s on by default) to off in Nginx configuration file.

# nano /etc/nginx/nginx.conf

and add server_tokens off; inside http { your nginx configurations here }.

http {

server_tokens off;

}

# service nginx restart

$ curl -I http://domain.com/

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 09 May 2014 05:53:47 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive