HTTP Headers

[fidividi]

Hello,

My cPanel server is giving me below information when I load a joomla CMS hosted on it:

Server:Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Transfer-Encoding:chunked
Vary:User-Agent
X-Content-Encoded-By:Joomla! 2.5
X-Powered-By:PHP/5.3.27


Is there a way to modify these information, or at least Apache headers or PHP parts, to avoid information which may be used by hackers to identify vulnerabilities depending on versions of softwares used?

 

[robb3369]

For Apache: Go into WHM, under Apache Config and set the Server Signature to "Off"
For Joomla: Edit source or use this extension:
/http://extensions.joomla.org/extensions/site-management/browsers-a-web-standards/12736

For PHP: Add the following in the php.ini: expose_php = off

 

[fidividi]

For Apache: Go into WHM, under Apache Config and set the Server Signature to "Off"
For PHP: Add the following in the php.ini: expose_php = off

Hi Rob,

I applied your recommended changes (for PHP and Apache). Only PHP expose_php was on, and I changed to off. Apache signature option was off already. Yet, nothing changed, I still see PHP version, and ofcourse apache details....

- - - Updated - - -

PHP expose_php worked on another server. But didn't on the main one.

And apart from Apache, what about nginx for instance? Anyway to disable the version and information with that?

 

[fidividi]

For anyone else having the same issue, as far as Apache, you also need to change to "Product Only" under "Server Tokens" in "Home »Service Configuration »Apache Configuration"

 

[cPanelMichael]

Hello

I just wanted to note that while hiding the version of Joomla might make it less of a target, it's important to ensure the latest versions of the software are used. Taking the time to ensure your customers use the latest versions of PHP scripts like Joomla will go a long way in helping to reduce the likelihood of an exploited account.

Thank you.