Disable Expose PHP and Use Production Value for ServerTokens (Apache)

Servers by default display information via Apache and PHP that makes them vulnerable. With Apache, the version number and installed module versions are listed at the bottom of 404 error pages. With PHP, because it runs on our servers as CGI, when it processes php scripts, it adds the “X-Powered By” and displays the version number. In both cases this is not desirable as attackers can use such information to compromise the server.

This is what it looks like when ServerTokens are set to Full.

This is what it looks like when ServerTokens are set to Full.

To fix this for new servers take the following steps:

For Apache, open /etc/httpd/conf/httpd.conf in your favorite text editor. Search for ServerTokens and it should find an entry that reads:

ServerTokens Full

Change this to:

ServerTokens Prod

Save the file and restart Apache using service httpd restart.

For PHP, locate the global php.ini. For servers with both php4 and php5, you’ll need to edit the php.ini for each php version. PHP4 is usually located in /usr/local/php4/lib/. For php5 it is usually located in /usr/local/lib/. You’ll want to open each php.ini in your favorite text editor and search for expose_php. You should find an entry that reads:

expose_php = On

Change this to:

expose_php = Off

Save the file, and restart apache.

This concludes my small server security tweak.

Tags: , , , | Posted under Server Security | RSS 2.0

3 Comments on Disable Expose PHP and Use Production Value for ServerTokens (Apache)

  1. Claus Conrad says:

    Thanks! Just what I needed.

  2. j klassen says:

    When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four emails with the same comment. Is there any way you can remove me from that service? Bless you!

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 3 = 12

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>