How to hide X-Powered-By for PHP

**How to hide X-Powered-By for PHP**

By default, PHP will show header like

X-Powered-By: PHP/5.2.1

X-Powered-By may expose some security issue, it tells hacker which PHP version you are using now

Check the response for browsing http://www.chineseinla.com/f.html, this is ChineseInLA.com's forum page.

REQUEST:

GET / HTTP/1.1

Host: www.chineseinla.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-CN; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: zh-cn,zh;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.chineseinla.com/f.html

RESPONSE:

HTTP/1.1 200 OK

Date: Sat, 02 Feb 2008 00:49:57 GMT

Server: Apache/2.2.2 (Unix) DAV/2 PHP/5.2.1

X-Powered-By: PHP/5.2.1

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 10887

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

when install PHP, it default to turn the X-Powered-By on. It's configuration is in php.ini and the variable is expose_php.

In order to remove X-Powered-By header, you can turn it off, like

expose_php = Off

After change, restart your apache, the configuration will take effect immideatelly

GET /test.php HTTP/1.1