PHP expose_php Explained: Configuration, Security, and Best Practices

Published: 2026-07-08
Google AdSense 广告位 (待申请通过后开启)

Introduction

The expose_php directive controls whether PHP advertises its presence by sending the X-Powered-By HTTP response header. When enabled, this header may reveal that a website is running PHP and, in some cases, its version.

Although disabling expose_php does not eliminate software vulnerabilities, it reduces unnecessary information disclosure and is widely considered a security best practice for production servers.

This guide explains how expose_php works, how to configure it, and why disabling it is recommended for public-facing websites.

Test Environment

Operating System : AlmaLinux 10
PHP Version      : PHP 8.3
Web Server       : Nginx
PHP-FPM          : Enabled
Architecture     : x86_64
Last Tested      : July 2026

What Is expose_php?

The expose_php directive determines whether PHP includes the X-Powered-By HTTP response header.

Example:

expose_php = On

When enabled, a response header may look similar to:

X-Powered-By: PHP/8.3.10

This reveals that the application is powered by PHP and may also disclose the installed PHP version.

How expose_php Works

A typical request follows this process:

Browser
      │
      ▼
Nginx
      │
      ▼
PHP-FPM
      │
      ▼
Generate Response
      │
      ▼
expose_php
      │
 ┌────┴─────┐
 │          │
On         Off
 │          │
 ▼          ▼
Add        Do Not Add
Header     Header

When expose_php is disabled, PHP omits the X-Powered-By header from the response.

Check the Current Value

Run:

php -i | grep expose_php

Example:

expose_php => On => On

Or verify using:

<?php
phpinfo();

Search for:

expose_php

Locate the Active php.ini File

php --ini

Example:

Loaded Configuration File: /etc/php.ini

If you are using PHP-FPM, edit the configuration file used by PHP-FPM rather than only the CLI configuration.

Disable expose_php

Open the PHP configuration file.

sudo nano /etc/php.ini

Find:

expose_php = On

Change it to:

expose_php = Off

Save the file.

Restart PHP-FPM

Apply the new configuration.

sudo systemctl restart php-fpm

Verify:

sudo systemctl status php-fpm

Expected output:

Active: active (running)

Verify the HTTP Response Header

Use curl to inspect the response headers.

curl -I https://example.com

If expose_php is enabled, you may see:

HTTP/2 200 OK
Server: nginx
X-Powered-By: PHP/8.3.10

After disabling expose_php, the X-Powered-By header should no longer appear.

Why Disable expose_php?

The X-Powered-By header provides information that is generally unnecessary for visitors.

Potential risks include:

Revealing that the application uses PHP.

Exposing the installed PHP version.

Assisting automated vulnerability scanners.

Providing attackers with additional information for reconnaissance.

While hiding this header does not prevent attacks, reducing publicly available system details is a common principle of secure server configuration.

expose_php vs Server Header

These settings control different HTTP response headers.

| Setting                  | Purpose                                                   |
| ------------------------ | --------------------------------------------------------- |
| `expose_php`             | Controls the `X-Powered-By` header generated by PHP       |
| Web server configuration | Controls the `Server` header generated by Nginx or Apache |

For example:

Server: nginx

X-Powered-By: PHP/8.3.10

Disabling expose_php removes only the second header. The Server header is managed separately by the web server.

Common Issues

X-Powered-By Header Still Appears

Possible reasons include:

PHP-FPM has not been restarted.

A reverse proxy adds the header.

The application explicitly sends the header using PHP code.

Another component, such as a framework or middleware, inserts the header.

Verify the response headers after each configuration change.

phpinfo() Still Shows expose_php

This is expected.

The phpinfo() page displays the current configuration values and is not affected by whether the X-Powered-By header is sent.

Security Considerations

Disabling expose_php should be viewed as one part of a broader security strategy.

Other recommended practices include:

Keep PHP updated with security patches.

Disable display_errors on production servers.

Enable log_errors for troubleshooting.

Remove unnecessary PHP extensions.

Restrict access to sensitive files.

Keep your web server and operating system updated.

Security is most effective when multiple layers of protection are combined.

Best Practices

Set expose_php = Off on production servers.

Restart PHP-FPM after modifying the configuration.

Verify the response headers using curl -I.

Combine this setting with other PHP and web server security measures.

Regularly update PHP to receive security fixes.

Conclusion

The expose_php directive determines whether PHP exposes its presence through the X-Powered-By HTTP response header. Although disabling this header does not remove software vulnerabilities, it reduces unnecessary information disclosure and aligns with common security hardening practices.

For production environments, setting expose_php = Off is a simple, low-risk configuration change that helps minimize the information available to automated scanners and potential attackers.

Explore More

Technology Guides →

PHP opcache.max_accelerated_files Explained: Configuration, Performance, and Best Practices

PHP opcache.validate_timestamps Explained: Configuration, Code Updates, and Best Practices

PHP opcache.revalidate_freq Explained: Configuration, Performance, and Best Practices

PHP opcache.enable Explained: Configuration, Performance, and Best Practices

Southeast Asia Insights →