当前位置: 文江博客话题详情

隐藏 PHP 的 X-Powered-By 标头

发布于 2024-08-23 08:28:14 字数 543 浏览 1 评论 0原文

我知道在 PHP 中,它会发送 X-Powered-By 标头来获取 PHP 版本。

我还知道,通过附加一些校验和,您可以访问 PHP 的积分和一些随机图像(更多信息在这里< /a>)。

我还知道在 php.ini 中您可以关闭 expose_php = off

但我在一些网站上做了一些事情,那就是使用

header('X-Powered-By: Alex');

当我查看标题时,我可以看到它现在是“Alex”而不是 PHP 版本。我的问题是,这是否会首先发送前一个 PHP 标头(在它到达我的 header() 之前),并且它可以被任何嗅探器程序检测到吗?或者标头是否被 PHP“收集”,之前 被发送回浏览器?

顺便说一下,这并不是为了隐藏安全,只是好奇标头在 PHP 中是如何工作的。

原文

I know in PHP, it sends the X-Powered-By header to have the PHP version.

I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).

I also know in php.ini you can turn expose_php = off.

But here is something I have done on a few sites, and that is use

header('X-Powered-By: Alex');

When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?

By the way, this is not for security by obscurity, just curious how headers work in PHP.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

她说她爱他 2024-08-30 08:28:14

如果您不希望它发送 X-Powered-By 标头,您可以在 php.ini 中设置 expose_php = Off

PHP 首先编译所有内容(包括哪些标头具有哪些值),然后开始输出,反之亦然。

PHP 也可以用它自己的复活节彩蛋来检测,您可以在这里阅读有关此主题的信息:PHP 复活节彩蛋< /a>

You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.

PHP first compiles everything (including which headers have which values ) and then start the output, not vice-versa.

PHP is also detectable with its own easter eggs, you can read about this topic here : PHP Easter Eggs

回复 原文
薄荷港 2024-08-30 08:28:14

请参阅 Apache 提示 & ;技巧:隐藏 PHP 版本 (X-Powered-By)

Ups…正如我们所看到的,PHP 添加了它自己的
横幅:

X-Powered-By: PHP/5.1.2-1+b1...

让我们看看如何禁用它。在
为了防止 PHP 暴露
事实上它安装在
服务器,通过将其签名添加到
我们需要找到的网络服务器标头
php.ini 变量 expose_php 并将其关闭

默认情况下,expose_php 设置为“开”。

在你的 php.ini 中(基于你的 Linux
分布可以在
各个地方,例如/etc/php.ini,
/etc/php5/apache2/php.ini等)
找到包含 expose_php 的行
打开并将其设置为关闭:

expose_php = 关闭

进行此更改后,PHP 将不会
不再将其签名添加到网络上
服务器标头。这样做,将会
不会使您的服务器更安全......它只会阻止远程主机
很容易看出你已经安装了PHP
系统以及您的版本
正在运行。

See Apache Tips & Tricks: Hide PHP version (X-Powered-By)

Ups… As we can see PHP adds its own
banner:

X-Powered-By: PHP/5.1.2-1+b1…

Let’s see how we can disable it. In
order to prevent PHP from exposing the
fact that it is installed on the
server, by adding its signature to the
web server header we need to locate in
php.ini the variable expose_php and turn it off.

By default expose_php is set to On.

In your php.ini (based on your Linux
distribution this can be found in
various places, like /etc/php.ini,
/etc/php5/apache2/php.ini, etc.)
locate the line containing expose_php
On and set it to Off:

expose_php = Off

After making this change PHP will no
longer add it’s signature to the web
server header. Doing this, will
not make your server more secure… it will just prevent remote hosts to
easily see that you have PHP installed
on the system and what version you are
running.

回复 原文
紫罗兰の梦幻 2024-08-30 08:28:14

在 PHP 中,直到 PHP 遇到第一个输出语句时才会发送标头。

这包括第一个 之前的任何内容。

这也是如果您在输出某些内容后尝试使用 setcookie 发送会引发警告的原因:

警告:无法修改标头
信息 - 已发送的标头
(输出开始于
/path/to/php/file.php:100) 在
/path/to/php/file.php 第 150 行

请注意,如果正在使用 输出缓冲,则这些都不适用,因为在运行适当的输出缓冲命令之前不会发送输出。

In PHP, headers aren't sent until PHP encounters its first output statement.

This includes anything before the first <?php.

This is also why setcookie sends throws a warning if you try to use it after something has been output:

Warning: Cannot modify header
information - headers already sent by
(output started at
/path/to/php/file.php:100) in
/path/to/php/file.php on line 150

Note that none of this applies if output buffering is in use, as the output will not be sent until the appropriate output buffering command is run.

回复 原文
空宴 2024-08-30 08:28:14

要隐藏 X-Powered-By: PHP/7.xx ,如果您使用共享托管,请在 .htaccess 文件中添加以下代码,

Header always unset X-Powered-By
Header unset X-Powered-By

然后重新加载浏览器或使用 LiteSpeed Cache 插件清除缓存: https://en.wordpress.org/plugins/litespeed-cache/

To hide X-Powered-By: PHP/7.x.x , if you are using Share Hosting then add the following code in .htaccess file

Header always unset X-Powered-By
Header unset X-Powered-By

Then reload the browser or clear the cache using the LiteSpeed ​​Cache plugin: https://en.wordpress.org/plugins/litespeed-cache/

回复 原文
初熏 2024-08-30 08:28:14

要在无法访问 php.ini 的情况下删除 X-Powered-By 标头,只需添加一个空标头即可。

<?php header('X-Powered-By:'); ?>

这会用空值覆盖默认的 X-Powered-By 标头,尽管大多数客户端和应用程序的行为就像根本没有发送该标头一样。

如前所述,必须在发送任何输出之前将其插入代码中。

回答您的问题

只会发送您的 X-Powered-By 标头,因为它会被您的同名标头替换。所以它不能被“嗅探器”检测到。

To get rid of the X-Powered-By header without having access to php.ini, simply add an empty header.

<?php header('X-Powered-By:'); ?>

This overwrites the default X-Powered-By header with an empty value an though most clients and applications act like this header was not sent at all.

As noticed before, this must be inserted into the code before any output is sent.

And to answer your question:

Only your X-Powered-By header will be sent because it gets replaced by your header with the same name. So it can't be detected by a 'sniffer'.

回复 原文
残月升风 2024-08-30 08:28:14

标头在发送回浏览器之前由 PHP“收集”,以便您可以覆盖状态标头等内容。测试它的方法是转到命令提示符,然后键入:

telnet www.yoursite.com 80
GET /index.php HTTP/1.1
[ENTER]
[ENTER]

您将看到响应中发送的标头(将 /index.php 替换为域后面的 PHP 页面的 URL。)

Headers are "collected" by PHP before being sent back to the browser, so that you can override things like the status header. The way to test it is go to a command prompt, and type:

telnet www.yoursite.com 80
GET /index.php HTTP/1.1
[ENTER]
[ENTER]

And you'll see the headers that are sent in the response (replace /index.php with the URL of your PHP page after the domain.)

回复 原文
不醒的梦 2024-08-30 08:28:14

我的问题是,这是否会首先发送前一个 PHP 标头(在它到达我的 header() 之前),并且它可以被任何嗅探器程序检测到吗?或者是 PHP 在之前“收集”标头吗?被发送回浏览器?

,它不会首先发送之前的 PHP 标头。默认情况下,您的 headerDocs 调用会替换以前具有相同名称的标头(除非您指定不同的名称)与第二个参数)。

注意:如果 PHP 不收集标头,它将无法替换标头。

由于它没有提前发送,因此嗅探器程序无法检测到它。

所以,是的,标头由 PHP 收集,并在“真实”输出开始时发送(HTTP 响应正文)。

另请参阅headers_sent文档

My question is, will this send the previous PHP header first (before it reaches my header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?

No, it does not send the previous PHP header first. Headers are either sent or not sent (in complete, as one batch) in PHP. By default your headerDocs call replaces a previous header with the same name (unless you specify something different with the second parameter).

Note: If PHP would not collect the headers, it would not be able to replace one.

As it does not sent it earlier, it is not detectable with a sniffer program.

So yes, headers are collected by PHP and are send the moment "the real" output starts (HTTP response body).

See as well headers_sentDocs.

回复 原文
唯憾梦倾城 2024-08-30 08:28:14

PHP 有一个内置函数来删除标头: header_remove( )

要删除 X-Powered-By 标头,您可以使用:

<?php

header_remove(
    name: 'X-Powered-By'
);

如您所见,您只需将标头名称作为字符串作为参数传递即可。

请注意,name 参数的解析不区分大小写,因此您也可以使用 x-powered-by 调用它。

自 PHP 8.0.0 起,当调用不带 name 参数的函数时,所有先前设置的标头都将被取消设置。

PHP has a built-in function to remove headers: header_remove().

To remove the X-Powered-By header, you can use:

<?php

header_remove(
    name: 'X-Powered-By'
);

As you can see, you only have to pass the header name as a string as parameter, and you are done.

Note that name parameter is parsed not case-sensitive, so you are fine calling it with x-powered-by as well.

Since PHP 8.0.0 when calling the function without the name parameter, all previously set headers will be unset.

回复 原文
~没有更多了~

关于作者

沒落の蓅哖

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

不再见

文章 0 评论 0

真是无聊啊

文章 0 评论 0

樱娆

文章 0 评论 0

浅语花开

文章 0 评论 0

烛光

文章 0 评论 0

绻影浮沉

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文