Disable Expose PHP and Use Production Value for ServerTokens (Apache)

Last Updated on Monday, 12 January 2009 12:12 Written by Victor Gebhardt Thursday, 8 January 2009 05:30

Servers by default display information via Apache and PHP that makes them vulnerable. With Apache, the version number and installed module versions are listed at the bottom of 404 error pages. With PHP, because it runs on our servers as CGI, when it processes php scripts, it adds the “X-Powered By” and displays the version number. In both cases this is not desirable as attackers can use such information to compromise the server.

This is what it looks like when ServerTokens are set to Full.