X header information is included by default in several internet technologies. The header sends information to the browser, including information about the web services running. Many types of X-* headers are no threat to your security. The most common security related X header is the X-Powered-By header. Check the notes for each URL after a scan to see if this is in fact the X message you are seeing.
What are X Header values?
X header information is included by default in several internet technologies. The header sends information to the browser, including information about the web services running. Many types of X-* headers are no threat to your security. The most common security related X header is the X-Powered-By header. Check the notes for each URL after a scan to see if this is in fact the X message you are seeing.
The X-Powered-By header reveals information based on your version of PHP. Similar to other low-risk security vulnerabilities related to software version, this reveals data to an attacker or automated process which can be used to launch attacks known to work for your specific version. Removing this information decreases the likelihood of such attacks.
Another common header is the X-Pingback header used in many WordPress installations. This is an example of a header with no security implications, and can be safely ignored. There are many X-* headers around, and each result should be looked at to see if it relates version information about the site.
Why Should I Hide these Headers?
A dedicated attacker can find out this information in a variety of ways, most of which cannot be easily prevented. By itself, this information provides little value to an attacker.
The most common use of this kind of information is automated attacks which search on Google for specific configurations known to be vulnerable, or to automate attacks known to work against setups similar to what is found on the site. Removing these values form the server header will prevent these types of automated attacks from occurring.
Solutions - How to Disable X Headers
Although it is not necessarily possible to completely prevent this knowledge from being discovered, it is possible to make it significantly more difficult for attackers. The most commonly seen X header which we want to remove is the X-Powered-By header from PHP. Here is how to remove it.
Additional Resources
Apache Tips & Tricks: Hide PHP version (X-Powered-By)
What are X Header values?
X header information is included by default in several internet technologies. The header sends information to the browser, including information about the web services running. Many types of X-* headers are no threat to your security. The most common security related X header is the X-Powered-By header. Check the notes for each URL after a scan to see if this is in fact the X message you are seeing.
The X-Powered-By header reveals information based on your version of PHP. Similar to other low-risk security vulnerabilities related to software version, this reveals data to an attacker or automated process which can be used to launch attacks known to work for your specific version. Removing this information decreases the likelihood of such attacks.
Another common header is the X-Pingback header used in many WordPress installations. This is an example of a header with no security implications, and can be safely ignored. There are many X-* headers around, and each result should be looked at to see if it relates version information about the site.
Why Should I Hide these Headers?
A dedicated attacker can find out this information in a variety of ways, most of which cannot be easily prevented. By itself, this information provides little value to an attacker.
The most common use of this kind of information is automated attacks which search on Google for specific configurations known to be vulnerable, or to automate attacks known to work against setups similar to what is found on the site. Removing these values form the server header will prevent these types of automated attacks from occurring.
Solutions - How to Disable X Headers
Although it is not necessarily possible to completely prevent this knowledge from being discovered, it is possible to make it significantly more difficult for attackers. The most commonly seen X header which we want to remove is the X-Powered-By header from PHP. Here is how to remove it.
- Navigate to your php.ini file. This is often located in /etc/php.ini or /usr/bin/php/php.ini
- If it is not here, you can try a locate command on Unix, or execute a phpinfo() within PHP to see the directory.
- Open the file using a text editor. On Unix systems, the most common one is vi (command: vi php.ini)
- Find the line including expose_php (if using vi, you can find this quickly by typing in /expose_php)
- Update it so that expose_php is set to off - expose_php = off
- Restart Apache (or other web server). For apache, this is generally httpd restart
Additional Resources
Apache Tips & Tricks: Hide PHP version (X-Powered-By)
