在 php.ini 中关闭 Exposure_php
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9617579/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Turning expose_php OFF in php.ini
提问by crmpicco
I have been advised that having expose_php = Onin my php.ini is a security issue and is, therefor, not PCI compliant.
我被告知expose_php = On在我的 php.ini 中存在安全问题,因此不符合 PCI 标准。
My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.
到目前为止,我对它的研究表明,关闭它的风险很低,并且基本上会停止在标头中发回 PHP 版本,但是我想知道是否可能会出现任何问题。
Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?
我想到的潜在问题是第三方服务(支付提供商、电子邮件跟踪系统、视频流 API),它们希望您回复一个标头,表明您正在运行一个 PHP 版本,可能是某个版本?
Should this be a seamless change or does this have the potential for problems?
这应该是无缝更改还是有潜在问题?
回答by F21
That's correct.
没错。
Setting expose_php = Offjust prevents the webserver from sending back the X-Powered-Byheader.
设置expose_php = Off只是防止网络服务器发回X-Powered-By标头。
While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection.
虽然可以说潜在的黑客可能会寻找具有安全漏洞的过时 PHP 版本以供利用,但即使标题被关闭,他们也可能会这样做。在我看来,这是一件好事,但不要指望它提供太多保护。
In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP.
在与第三方服务交互方面,他们不必关心您使用的是哪个版本的 PHP。他们应该能够以与平台无关的格式(例如 JSON、XML 等)提供内容,以便任何平台都可以使用这些服务,而不仅仅是 PHP。
In anycase, for them to rely on the "consumer's" PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator.
无论如何,对他们来说,依赖“消费者”的 PHP 版本是没有用的,因为头可以很容易地关闭,甚至可能被服务器管理员操纵。
Therefore, it shouldn't be a problem turning it off.
因此,关闭它应该不是问题。
回答by alex
There should be no negative side effects when you disable expose_php.
当您禁用expose_php.
All it does is remove the X-Powered-Byheader and stop GET params from returning PHP credits and images.
它所做的只是删除X-Powered-By标题并阻止 GET 参数返回 PHP 信用和图像。
Any third party application that relieson the header is dodgy. You can always spoof the header if required.
任何依赖于标头的第三方应用程序都是狡猾的。如果需要,您始终可以欺骗标题。
回答by Venu Gopal Mopidevi
There is no security threat in any way, but exposing an outdated version of PHP may be an invitation for hackers to try and exploit well documented 'holes' in past versions.
没有任何安全威胁,但暴露过时的 PHP 版本可能会邀请黑客尝试利用过去版本中记录良好的“漏洞”。
Regarding third party services, they are platform independent and should not have to care about which version of PHP we are using. If needed we can set simply an empty header or like below.
关于第三方服务,它们是独立于平台的,不必关心我们使用的是哪个版本的 PHP。如果需要,我们可以简单地设置一个空标题或如下所示。
header('X-Powered-By: Venu');
回答by Your Common Sense
There is absolutely no harm in either having this option on or off.
打开或关闭此选项绝对没有害处。
Turning it off won't add any security to your site though. Those script-kiddie tools are so dumb that they never bother to tell one platform from another.
但是,关闭它不会为您的网站增加任何安全性。那些脚本小工具非常愚蠢,以至于它们从不费心将一个平台与另一个平台区分开来。
Not to mention that if your site is some framework/CMS based it is useless to hide PHP presence anyway.
更不用说如果您的站点是基于某个框架/CMS 的,那么无论如何隐藏 PHP 的存在是没有用的。
