The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HTTP Headers

Discussion in 'General Discussion' started by fidividi, Mar 15, 2014.

  1. fidividi

    fidividi Active Member

    Joined:
    Feb 15, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    My cPanel server is giving me below information when I load a joomla CMS hosted on it:

    Server:Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
    Transfer-Encoding:chunked
    Vary:User-Agent
    X-Content-Encoded-By:Joomla! 2.5
    X-Powered-By:PHP/5.3.27


    Is there a way to modify these information, or at least Apache headers or PHP parts, to avoid information which may be used by hackers to identify vulnerabilities depending on versions of softwares used?
     
  2. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    For Apache: Go into WHM, under Apache Config and set the Server Signature to "Off"
    For Joomla: Edit source or use this extension:
    /http://extensions.joomla.org/extensions/site-management/browsers-a-web-standards/12736

    For PHP: Add the following in the php.ini: expose_php = off
     
  3. fidividi

    fidividi Active Member

    Joined:
    Feb 15, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator


    Hi Rob,

    I applied your recommended changes (for PHP and Apache). Only PHP expose_php was on, and I changed to off. Apache signature option was off already. Yet, nothing changed, I still see PHP version, and ofcourse apache details....

    - - - Updated - - -

    PHP expose_php worked on another server. But didn't on the main one.

    And apart from Apache, what about nginx for instance? Anyway to disable the version and information with that?
     
  4. fidividi

    fidividi Active Member

    Joined:
    Feb 15, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    For anyone else having the same issue, as far as Apache, you also need to change to "Product Only" under "Server Tokens" in "Home »Service Configuration »Apache Configuration"
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I just wanted to note that while hiding the version of Joomla might make it less of a target, it's important to ensure the latest versions of the software are used. Taking the time to ensure your customers use the latest versions of PHP scripts like Joomla will go a long way in helping to reduce the likelihood of an exploited account.

    Thank you.
     
Loading...

Share This Page