PHP expose_php Explained: Configuration, Security, and Best Practices
Introduction
The expose_php directive controls whether PHP advertises its presence by sending the X-Powered-By HTTP response header. When enabled, this header may reveal that a website is running PHP and, in some cases, its version.
Although disabling expose_php does not eliminate software vulnerabilities, it reduces unnecessary information disclosure and is widely considered a security best practice for production servers.
This guide explains how expose_php works, how to configure it, and why disabling it is recommended for public-facing websites.
Test Environment
What Is expose_php?
The expose_php directive determines whether PHP includes the X-Powered-By HTTP response header.
Example:
expose_php = On
When enabled, a response header may look similar to:
X-Powered-By: PHP/8.3.10
This reveals that the application is powered by PHP and may also disclose the installed PHP version.
How expose_php Works
A typical request follows this process:
When expose_php is disabled, PHP omits the X-Powered-By header from the response.
Check the Current Value
Run:
Example:
expose_php => On => On
Or verify using:
Search for:
expose_php
Locate the Active php.ini File
php --ini
Example:
Loaded Configuration File: /etc/php.ini
If you are using PHP-FPM, edit the configuration file used by PHP-FPM rather than only the CLI configuration.
Disable expose_php
Open the PHP configuration file.
Find:
expose_php = On
Change it to:
expose_php = Off
Save the file.
Restart PHP-FPM
Apply the new configuration.
Verify:
Expected output:
Active: active (running)
Verify the HTTP Response Header
Use curl to inspect the response headers.
If expose_php is enabled, you may see:
After disabling expose_php, the X-Powered-By header should no longer appear.
Why Disable expose_php?
The X-Powered-By header provides information that is generally unnecessary for visitors.
Potential risks include:
Revealing that the application uses PHP.
Exposing the installed PHP version.
Assisting automated vulnerability scanners.
Providing attackers with additional information for reconnaissance.
While hiding this header does not prevent attacks, reducing publicly available system details is a common principle of secure server configuration.
expose_php vs Server Header
These settings control different HTTP response headers.
For example:
Server: nginx
X-Powered-By: PHP/8.3.10
Disabling expose_php removes only the second header. The Server header is managed separately by the web server.
Common Issues
X-Powered-By Header Still Appears
Possible reasons include:
PHP-FPM has not been restarted.
A reverse proxy adds the header.
The application explicitly sends the header using PHP code.
Another component, such as a framework or middleware, inserts the header.
Verify the response headers after each configuration change.
phpinfo() Still Shows expose_php
This is expected.
The phpinfo() page displays the current configuration values and is not affected by whether the X-Powered-By header is sent.
Security Considerations
Disabling expose_php should be viewed as one part of a broader security strategy.
Other recommended practices include:
Keep PHP updated with security patches.
Disable display_errors on production servers.
Enable log_errors for troubleshooting.
Remove unnecessary PHP extensions.
Restrict access to sensitive files.
Keep your web server and operating system updated.
Security is most effective when multiple layers of protection are combined.
Best Practices
Set expose_php = Off on production servers.
Restart PHP-FPM after modifying the configuration.
Verify the response headers using curl -I.
Combine this setting with other PHP and web server security measures.
Regularly update PHP to receive security fixes.
Conclusion
The expose_php directive determines whether PHP exposes its presence through the X-Powered-By HTTP response header. Although disabling this header does not remove software vulnerabilities, it reduces unnecessary information disclosure and aligns with common security hardening practices.
For production environments, setting expose_php = Off is a simple, low-risk configuration change that helps minimize the information available to automated scanners and potential attackers.
Explore More
› PHP opcache.max_accelerated_files Explained: Configuration, Performance, and Best Practices
› PHP opcache.validate_timestamps Explained: Configuration, Code Updates, and Best Practices
› PHP opcache.revalidate_freq Explained: Configuration, Performance, and Best Practices
› PHP opcache.enable Explained: Configuration, Performance, and Best Practices