How to hide PHP 5/7 version when using Nginx

I

am using PHP 5.6.xx and Nginx server on an Apline Linux server. I want to hide ‘X-Powered-By: PHP/5.6.32’ HTTP header. How can I hide PHP version when using Nginx along with PHP-fpm5 or PHP-fpm7?

 

By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.

 

Let us see how to hide PHP version on a Linux or Unix-like system.

How to find out PHP version using the CLI

You need to use the curl command as follows:

curl -IL https://some-server-ip-OR-domain-name/

curl -IL https://server1.cyberciti.biz/

 

Sample outputs:

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 05 Dec 2017 04:36:28 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

X-Powered-By: PHP/5.6.32

Set-Cookie: PHPSESSID=lf9r4cdc1fqrm5l881ia5p52l2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Robots-Tag: noindex, noarchive

Strict-Transport-Security: max-age=15768000

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Whome: l-cbz01

Referrer-Policy: no-referrer-when-downgrade

Hiding your PHP version

You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version. Here is a quick list:

Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini

Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini

Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini

RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini

You can always find php directory location using php* and grep command:

$ php -i | more

$ php -i | grep -i -A4  Additional .ini files parsed

$ php-fpm5 -i | grep -i -A4  Additional .ini files parsed

$ php-fpm7.0 -i | grep -i -A4  Additional .ini files parsed

 

Sample outputs (look for directory name that stores all .ini files):

Configuration File (php.ini) Path => /etc/php/7.0/fpm

Loaded Configuration File => /etc/php/7.0/fpm/php.ini

Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d

Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini,

/etc/php/7.0/fpm/conf.d/10-opcache.ini,

/etc/php/7.0/fpm/conf.d/10-pdo.ini,

Add the following line to custom.ini as per your setup:

########################################

this is for Alpine Linux and PHP v5.6.xx ##

########################################

echo  expose_php = off  >> /etc/php5/conf.d/custom.ini

Restart/reload PHP

The syntax depends upon your PHP version:

[ Alpine linux restart php-fpm ] ##

$ sudo /etc/init.d/php-fpm restart

[ RHEL/CentOS 5.x/6.x restart php-fpm ] ##

$ sudo service php-fpm restart

[ RHEL/CentOS 7.x restart php-fpm ] ##

$ sudo systemctl restart php-fpm

[ Debian/Ubuntu Linux latest restart php-fpm ] ##

$sudo service php7.0-fpm restart

[ FreeBSD restart php-fpm ] ##

$ sudo service php-fpm restart

Verification

Use the curl command again:

$ curl -IL https://some-server-ip-OR-domain-name/

$ curl -IL https://server1.cyberciti.biz/

 

Sample outputs:

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 05 Dec 2017 05:17:40 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Set-Cookie: PHPSESSID=6vkcp53a1p99n57lccte9fs0m3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Robots-Tag: noindex, noarchive

Strict-Transport-Security: max-age=15768000

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Whome: l-cbz01

Referrer-Policy: no-referrer-when-downgrade

You can also use the nmap command as follows:

sudo nmap -sV –script=http-php-version server-ip-here

sudo nmap -sV –script=http-php-version server1.cyberciti.biz

 

Sample outputs:

[sudo] password for vivek:

 

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-05 10:58 IST

Nmap scan report for server1.cyberciti.biz (192.168.2.42)

Host is up (0.39s latency).

rDNS record for 192.168.2.42: 42-2-168-192-staging.balancer.nginx.nixcraft.lan

Not shown: 998 closed ports

PORT    STATE SERVICE  VERSION

80/tcp  open  http     nginx

|_http-server-header: nginx

443/tcp open  ssl/http nginx

|_http-server-header: nginx

 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

A warning about hiding PHP version

This technique falls under Security Through Obscurity. Even if nobody outside of your org allowed to find out anything about PHP version, an attacker can still guess or find your PHP version using other methods such as fingerprinting. I strongly suggest that you apply PHP/Nginx/Apache patches on time and write secure code. Updating PHP is pretty simple as per your Linux/Unix variant:

Update PHP and other apps on an Ubuntu/Debian Linux

Type the following apt command/apt-get command:

$ sudo apt update

$ sudo apt upgrade

Update PHP and other apps on a RHEL/CentOS/Fedora Linux

Type the following yum command:

$ sudo yum update

Update PHP and other apps on an Alpine Linux

Type the following apk command:

# apk update && apk upgrade

See also

PHP security best practices

PHP expose_php init directive