Why is it important to remove X-Powered-by from response headers? How to remove?

Asked

Viewed 4,009 times

19

Why it is important to remove the X-Powered-By of the response headers?

This prevents some kind of attack, or avoids "insider information" to the attacker?

Example:

X-Powered-By: PHP/5.5.9-1ubuntu4.11

And what are the possible ways in PHP to remove them?

  • 5

    in php.ini , it is recommended to disable using expose_php = Off... the reason is to avoid exposing the technology used on the server. It avoids malicious people looking for ways to hack the server. You can even manipulate the information, switching to another language that has nothing to do, so leaves the "hacker" confused, trying to circumvent something that does not exist. The downside of blocking information is for search engines that collect this data for statistics. With this information we know +- the amount of servers with PHP, ASP, JSP and so on..

  • 1

    An adiconal question, if someone can/can answer: it is possible to disable or change this header by .htaccess?

3 answers

14

It does not prevent or avoid, in fact, I believe that pass information beyond the necessary informing the environment. I don’t use this header as a safety factor. You can remove it or on INI or in itself PHP.

Removing hair INI : expose_php = Off

Removing hair PHP : header_remove( 'X-Powered-By' )

The function header_remove is available for PHP 5 >= 5.3.0

9


That kind of header is known as ServerTokens/ServerSignature, it reveals server information such as: name, version, technology and in some cases even the operating system.

Your header specifically (X-Powered-By) provides information on the technology that is normally ASP.NET or PHP, in your case also shows that it is running on a ubuntu, but this information is bonus since it is in the version/compilation of php.

Another header that we must also be aware is the Server, it shows server name and version as Ningx, Apache, Microsoft-IIS.

You may also have this kind of information being displayed on server error screens as shown in this image below Erro 404, then after removing this header is only worth checking the error page.

imagem - erro 404

Why it is recommended to remove this information?
As it reveals server information it also ends (almost unintentionally) exposing the known vulnerabilities of the server/system/technology, facilitating the work of a person who intends to attack their server and sometimes even attracting this type of person.
Some websites that show vulnerabilities https://nvd.nist.gov, https://www.cvedetails.com, https://www.exploit-db.com

This prevents some kind of attack, or avoids "insider information" to the attacker?
That doesn’t stop any attack. But an attacker with this information can search for known vulnerabilities and this will make his life easier and increase his chance of success with the attack.

You can disable or change this header by .htaccess?*
To remove a header for .htaccess you need to add the following config Header unset <nome do header> or Header always unset <nome do header>. In this case staying as shown below.

Header always unset X-Powered-By


[note]

  1. The most recommended is to configure the php.ini and the server not to return this information to the client.
  2. I haven’t tested this method, so I don’t know if he can remove this header

*Question asked in comment by Guilherme Costamilam




Removing the header X-Powered-By

PHP

In the php you will have to edit the file php.ini and change the value of expose_php = On for expose_php = Off, after changing do not forget to restart the php.

another option is you remove/change the information by your script php, such as placing one of the below commands in your index.php.

header('X-Powered-By: MeuServer');
header_remove( 'X-Powered-By' )

[IMPORTANT] If you choose to remove the header this way, that is with this command above, you will only be able to remove this header in files that you have changed, that means the server will continue responding to this header, that is to say, the best option is to configure in php.ini


Removing the header Server

Apache2

In the apache2 you can disable this kind of header changing or adding at the end of the file apache2.conf the following settings

ServerSignature Off
ServerTokens Prod

After changing the configuration file don’t forget to restart the service apache2, for this you can use one of the commands below to linux.

sudo service apache2 restart
sudo apache2ctl restart

Nginx

In the nginx you will need to install the nginx-extras to change headers of that kind

sudo apt-get install nginx-extras

*Installation command if you are using Ubuntu/debian

and add the configuration to the file nginx.conf inside http{

#more_set_headers "Server: MeuServer"; # Modifica o Header Server
more_clear_headers Server; # Remove o Header Server
server_tokens off; # Não retornar versão do nginx e sistema operacional

After changing the file don’t forget to restart the service nginx, for this you can use the command of linux down below.

sudo service nginx restart

IIS and ASP.NET

The site below is in English and has more information about these headers and how to remove if you are using IIS, ASP.NET with a tutorial with images.
Hardening your HTTP Response headers - scotthelme.co.uk


Useful links

Some useful links that help analyze the configuration of headers and of SSL of your server:
Analysis of headers - securityheaders.com
Ssl analysis - ssllabs.with

8

See this article already old and still very useful:

Apache Tips & Tricks: Hide PHP Version (X-Powered-By)

I would also like to add that in the systems I develop or participate this header element is always masked or removed. I say masked with the domain name for example.

This is because it is information that can lead to insecurity. That is, masking your content by itself does not make the system more secure just prevents the remote host to perceive the system and the version of the PHP which is being executed.

We all know that every version in any software has its flaws and all are documented over the lifetime of the same and the PHP is no exception.

The analysis of this type of information allows us to understand what flaws this version specifically will have and from there it can start some security flaws with consequent attacks.

UPDATING: It should also be said that in the elements CSS, JS or imagens belonging to a page that "mask" this header element this can be viewed normally, so if the option is to mask the contents of this header element the same should be performed for any type of elements that require requests autonomous.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.