隐藏 PHP 的 X-Powered-By 标头
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2318806/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Hiding PHP's X-Powered-By header
提问by alex
I know in PHP, it sends the X-Powered-Byheader to have the PHP version.
我知道在 PHP 中,它发送X-Powered-By标头以获取 PHP 版本。
I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).
我也知道通过附加一些校验和,您可以访问 PHP 的信用和一些随机图像(更多信息在这里)。
I also know in php.ini you can turn expose_php = off.
我也知道在php.ini中可以转expose_php = off。
But here is something I have done on a few sites, and that is use
但这是我在一些网站上做过的事情,那就是使用
header('X-Powered-By: Alex');
When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, beforebeing sent back to the browser?
当我查看标题时,我可以看到它现在是“Alex”而不是 PHP 版本。我的问题是,将这种发送先前PHP头第一(它达到我之前header(),是不是由任何嗅探程序检测吗?或者是头“收集”由PHP,之前被发送回浏览器?
By the way, this is not for security by obscurity, just curious how headers work in PHP.
顺便说一句,这不是为了默默无闻的安全,只是好奇头文件在 PHP 中是如何工作的。
采纳答案by Powerlord
In PHP, headers aren't sent until PHP encounters its first output statement.
在 PHP 中,直到 PHP 遇到它的第一个输出语句时才会发送标头。
This includes anything before the first <?php.
这包括第一个<?php.
This is also why setcookie sends throws a warning if you try to use it after something has been output:
这也是如果您在输出某些内容后尝试使用 setcookie 会发出警告的原因:
Warning: Cannot modify header information - headers already sent by (output started at /path/to/php/file.php:100) in /path/to/php/file.php on line 150
警告:无法修改标头信息 - 标头已由(输出开始于 /path/to/php/file.php:100)在第 150 行的 /path/to/php/file.php 中发送
Note that none of this applies if output bufferingis in use, as the output will not be sent until the appropriate output buffering command is run.
请注意,如果使用输出缓冲,则这些都不适用,因为在运行适当的输出缓冲命令之前不会发送输出。
回答by Kemo
You can set expose_php = Offin your php.ini if you don't want it to send X-Powered-By header.
expose_php = Off如果您不希望它发送 X-Powered-By 标头,则可以在 php.ini 中进行设置。
PHP first compiles everything (including which headers have which values ) and then start the output, not vice-versa.
PHP 首先编译所有内容(包括哪些标头具有哪些值),然后开始输出,反之亦然。
PHP is also detectable with its own easter eggs, you can read about this topic here : PHP Easter Eggs
PHP 也可以用它自己的复活节彩蛋检测,您可以在这里阅读有关此主题的信息:PHP 复活节彩蛋
回答by cletus
See Apache Tips & Tricks: Hide PHP version (X-Powered-By)
请参阅Apache 提示和技巧:隐藏 PHP 版本 (X-Powered-By)
Ups… As we can see PHP adds its own banner:
X-Powered-By: PHP/5.1.2-1+b1…Let's see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.inithe variable
expose_phpand turn itoff.By default
expose_phpis set to On.In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing
expose_php Onand set it to Off:expose_php = OffAfter making this change PHP will no longer add it's signature to the web server header. Doing this, will notmake your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.
Ups……正如我们所见,PHP 添加了自己的横幅:
X-Powered-By: PHP/5.1.2-1+b1…让我们看看如何禁用它。为了防止 PHP 暴露它安装在服务器上的事实,通过将其签名添加到 Web 服务器标头中,我们需要在php.ini 中找到 该变量
expose_php并将其打开off。默认
expose_php设置为开。在你的 php.ini(基于你的 Linux 发行版,这可以在不同的地方找到,比如 /etc/php.ini、/etc/php5/apache2/php.ini 等)找到包含的行
expose_php On并将其设置为 Off :expose_php = Off进行此更改后,PHP 将不再将其签名添加到 Web 服务器标头。这样做 不会使您的服务器更安全……它只会阻止远程主机轻松查看您在系统上安装的 PHP 以及您正在运行的版本。
回答by Andy Shellam
Headers are "collected" by PHP before being sent back to the browser, so that you can override things like the status header. The way to test it is go to a command prompt, and type:
在发送回浏览器之前,PHP 会“收集”标题,以便您可以覆盖状态标题之类的内容。测试它的方法是转到命令提示符,然后键入:
telnet www.yoursite.com 80
GET /index.php HTTP/1.1
[ENTER]
[ENTER]
And you'll see the headers that are sent in the response (replace /index.php with the URL of your PHP page after the domain.)
您将看到响应中发送的标头(将 /index.php 替换为您的 PHP 页面在域后的 URL。)
回答by Ludwig
To get rid of the X-Powered-By header without having access to php.ini, simply add an empty header.
要在无法访问 php.ini 的情况下摆脱 X-Powered-By 标头,只需添加一个空标头。
<?php header('X-Powered-By:'); ?>
This overwrites the default X-Powered-By header with an empty value an though most clients and applications act like this header was not sent at all.
这会用空值覆盖默认的 X-Powered-By 标头,尽管大多数客户端和应用程序的行为就像根本没有发送此标头一样。
As noticed before, this must be inserted into the code before any output is sent.
如前所述,必须在发送任何输出之前将其插入代码中。
And to answer your question:
并回答你的问题:
Only your X-Powered-By header will be sent because it gets replaced by your header with the same name. So it can't be detected by a 'sniffer'.
只会发送您的 X-Powered-By 标头,因为它会被您的同名标头替换。所以它不能被“嗅探器”检测到。
回答by hakre
My question is, will this send the previous PHP header first (before it reaches my
header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?
我的问题是,这会首先发送之前的 PHP 标头
header()吗(在它到达我的 .
No, it does not send the previous PHP header first. Headers are either sent or not sent (in complete, as one batch) in PHP. By default your headerDocscall replaces a previous header with the same name (unless you specify something different with the second parameter).
不,它不会首先发送先前的 PHP 标头。在 PHP 中发送或不发送标头(完整的,作为一批)。默认情况下,您的headerDocs调用会替换具有相同名称的先前标题(除非您使用第二个参数指定不同的内容)。
Note:If PHP would not collect the headers, it would not be able to replace one.
注意:如果 PHP 不收集标头,它将无法替换一个。
As it does not sent it earlier, it is not detectable with a sniffer program.
由于它没有提前发送,因此无法用嗅探器程序检测到。
So yes, headers are collected by PHP and are send the moment "the real" output starts (HTTP response body).
所以是的,头是由 PHP 收集的,并在“真正的”输出开始时发送(HTTP 响应正文)。
See as well headers_sentDocs.
另请参阅headers_sentDocs。
