How to Remove X-Powered-By in Apache


remove x-powered-by apache

By default, Apache reveals a lot of unnecessary information such as server number, version, etc in its response headers. This allows malicious attackers to understand your technology and exploits its vulnerabilities. “X-Powered-By” is one such response header sent by PHP. Let us take a look at how to remove X-Powered-By in Apache.

 

How to Remove X-Powered-By in Apache

Even if you turn off server version number and headers, it will still be visible due to PHP. Here’s an example,


HEAD http://remote_server.com/index.php
200 OK
Connection: close
Date: Fri, 16 Jun 2016 01:16:30 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 16 Jun 2016 21:48:13 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1

 

So whenever a .php URL is requested, users will know which PHP version you are using.

Here are the steps to remove X-Powered-By in Apache. There are 2 ways to do it – via PHP and Apache. We will look at both methods

 

1. Using PHP

Open your php.ini file in a text editor. You will usually find it in one of the following locations depending on your Linux distribution:

  • /etc/php.ini
  • /etc/php5/apache2/php.ini

 


$sudo vim /etc/php.ini

 

And turn off the expose_php header. By default, it is turned on. Add the following line to php.ini to turn it off.


expose_php = Off

 

Restart Apache web server to apply changes

# service httpd restart # For RHEL based systems
$ sudo service apache2 restart # For Debian based systems

 

2. Using Apache

Before you proceed, please ensure you have enabled mod_headers in Apache.

Open Apache config file in a text editor. You will find it at one of the following locations, depending on your Linux distribution:

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf

 

Add the following lines to it


Header always unset "X-Powered-By"
ServerTokens Prod
ServerSignature Off

 

Restart Apache web server to apply changes


$ apachectl -k graceful

 

That’s it! You can use online tools to check your response headers.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!