Hiding Unnecessary Response Headers Apache/PHP

One way to help protect your website/server is to not tell everyone what platform and app versions everything is running on. If you were to request a php file from my site you see some response headers that could be useful to people looking to break in, cause havoc etc…

Here is my request to aknosis.com (I’m viewing all of this in Firebug, if you don’t have it get it, best web development tool in my arsenal)

Date	Wed, 14 Oct 2009 05:59:59 GMT
Server	Apache/2.2.3 (CentOS) PHP/5.2.9 mod_ssl/2.2.3 OpenSSL/0.9.8b
X-Powered-By	PHP/5.2.9
X-Pingback	http://www.aknosis.com/akwp/xmlrpc.php
Expires	Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified	Wed, 14 Oct 2009 06:00:00 GMT
Cache-Control	no-cache, must-revalidate, max-age=0
Pragma	no-cache
Vary	Accept-Encoding,User-Agent
Content-Encoding	gzip
Content-Length	10636
Keep-Alive	timeout=2, max=100
Connection	Keep-Alive
Content-Type	text/html; charset=UTF-8

So if I was running a known insecure version of php, apache, or any other out of date software exposed in the response headers, an attacker has to look no further to determine what you are using and how best to attack you.

Apache

› Continue reading

Tags: Apache, php, security