隐藏 PHP 的 X-Powered-By 标头
我知道在 PHP 中,它会发送 X-Powered-By
标头来获取 PHP 版本。
我还知道,通过附加一些校验和,您可以访问 PHP 的积分和一些随机图像(更多信息在这里< /a>)。
我还知道在 php.ini 中您可以关闭 expose_php = off
。
但我在一些网站上做了一些事情,那就是使用
header('X-Powered-By: Alex');
当我查看标题时,我可以看到它现在是“Alex”而不是 PHP 版本。我的问题是,这是否会首先发送前一个 PHP 标头(在它到达我的 header()
之前),并且它可以被任何嗅探器程序检测到吗?或者标头是否被 PHP“收集”,之前 被发送回浏览器?
顺便说一下,这并不是为了隐藏安全,只是好奇标头在 PHP 中是如何工作的。
I know in PHP, it sends the X-Powered-By
header to have the PHP version.
I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).
I also know in php.ini you can turn expose_php = off
.
But here is something I have done on a few sites, and that is use
header('X-Powered-By: Alex');
When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header()
, and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?
By the way, this is not for security by obscurity, just curious how headers work in PHP.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
如果您不希望它发送 X-Powered-By 标头,您可以在 php.ini 中设置
expose_php = Off
。PHP 首先编译所有内容(包括哪些标头具有哪些值),然后开始输出,反之亦然。
PHP 也可以用它自己的复活节彩蛋来检测,您可以在这里阅读有关此主题的信息:
PHP 复活节彩蛋< /a>You can set
expose_php = Off
in your php.ini if you don't want it to send X-Powered-By header.PHP first compiles everything (including which headers have which values ) and then start the output, not vice-versa.
PHP is also detectable with its own easter eggs, you can read about this topic here :
PHP Easter Eggs请参阅 Apache 提示 & ;技巧:隐藏 PHP 版本 (X-Powered-By)
See Apache Tips & Tricks: Hide PHP version (X-Powered-By)
在 PHP 中,直到 PHP 遇到第一个输出语句时才会发送标头。
这包括第一个
之前的任何内容。
这也是如果您在输出某些内容后尝试使用 setcookie 发送会引发警告的原因:
请注意,如果正在使用 输出缓冲,则这些都不适用,因为在运行适当的输出缓冲命令之前不会发送输出。
In PHP, headers aren't sent until PHP encounters its first output statement.
This includes anything before the first
<?php
.This is also why setcookie sends throws a warning if you try to use it after something has been output:
Note that none of this applies if output buffering is in use, as the output will not be sent until the appropriate output buffering command is run.
要隐藏 X-Powered-By: PHP/7.xx ,如果您使用共享托管,请在 .htaccess 文件中添加以下代码,
然后重新加载浏览器或使用 LiteSpeed Cache 插件清除缓存: https://en.wordpress.org/plugins/litespeed-cache/
To hide X-Powered-By: PHP/7.x.x , if you are using Share Hosting then add the following code in .htaccess file
Then reload the browser or clear the cache using the LiteSpeed Cache plugin: https://en.wordpress.org/plugins/litespeed-cache/
要在无法访问 php.ini 的情况下删除 X-Powered-By 标头,只需添加一个空标头即可。
这会用空值覆盖默认的 X-Powered-By 标头,尽管大多数客户端和应用程序的行为就像根本没有发送该标头一样。
如前所述,必须在发送任何输出之前将其插入代码中。
回答您的问题:
只会发送您的 X-Powered-By 标头,因为它会被您的同名标头替换。所以它不能被“嗅探器”检测到。
To get rid of the X-Powered-By header without having access to php.ini, simply add an empty header.
This overwrites the default X-Powered-By header with an empty value an though most clients and applications act like this header was not sent at all.
As noticed before, this must be inserted into the code before any output is sent.
And to answer your question:
Only your X-Powered-By header will be sent because it gets replaced by your header with the same name. So it can't be detected by a 'sniffer'.
标头在发送回浏览器之前由 PHP“收集”,以便您可以覆盖状态标头等内容。测试它的方法是转到命令提示符,然后键入:
您将看到响应中发送的标头(将 /index.php 替换为域后面的 PHP 页面的 URL。)
Headers are "collected" by PHP before being sent back to the browser, so that you can override things like the status header. The way to test it is go to a command prompt, and type:
And you'll see the headers that are sent in the response (replace /index.php with the URL of your PHP page after the domain.)
,它不会首先发送之前的 PHP 标头。默认情况下,您的
header
Docs 调用会替换以前具有相同名称的标头(除非您指定不同的名称)与第二个参数)。由于它没有提前发送,因此嗅探器程序无法检测到它。
所以,是的,标头由 PHP 收集,并在“真实”输出开始时发送(HTTP 响应正文)。
另请参阅
headers_sent
文档。No, it does not send the previous PHP header first. Headers are either sent or not sent (in complete, as one batch) in PHP. By default your
header
Docs call replaces a previous header with the same name (unless you specify something different with the second parameter).As it does not sent it earlier, it is not detectable with a sniffer program.
So yes, headers are collected by PHP and are send the moment "the real" output starts (HTTP response body).
See as well
headers_sent
Docs.PHP 有一个内置函数来删除标头:
header_remove( )
。要删除
X-Powered-By
标头,您可以使用:如您所见,您只需将标头名称作为字符串作为参数传递即可。
请注意,
name
参数的解析不区分大小写,因此您也可以使用x-powered-by
调用它。自 PHP
8.0.0
起,当调用不带name
参数的函数时,所有先前设置的标头都将被取消设置。PHP has a built-in function to remove headers:
header_remove()
.To remove the
X-Powered-By
header, you can use:As you can see, you only have to pass the header name as a string as parameter, and you are done.
Note that
name
parameter is parsed not case-sensitive, so you are fine calling it withx-powered-by
as well.Since PHP
8.0.0
when calling the function without thename
parameter, all previously set headers will be unset.