[WEB SECURITY] Securing apache installation with PHP

Richard Moore rich at westpoint.ltd.uk
Wed Jun 1 04:29:42 EDT 2005

Ian Holsman wrote:
> nice try,
> but unfortunatly PHP adds it's own header which ignores the
> servertokens directive.
> you will also need to edit your PHP.ini and change expose_php to off
> ; Misc
> ; 
> ; Decides whether PHP may expose the fact that it is installed on the server
> ; (e.g. by adding its signature to the Web server header).  It is no security
> ; threat in any way, but it makes it possible to determine whether you use PHP
> ; on your server or not.
> expose_php = off

Does this also prevent the 'easter egg' session ids? These also expose
lots of information.



Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list