Posted inServer Security Nginx

How to Hide PHP Version on Ubuntu Nginx Server

No CommentsPosted inServer Security, Nginx

When hosting your website or web application on an Ubuntu server with Nginx and PHP, it’s essential to secure your setup by minimizing exposed information. One common security risk is showing the PHP version in response headers or error pages. Revealing your PHP version gives attackers insights into possible vulnerabilities they can exploit.

In this guide, you’ll learn step-by-step how to hide the PHP version when using Nginx on Ubuntu an important best practice for improving your website’s security posture.

Why Hide the PHP Version?

By default, PHP displays its version in the HTTP headers and error messages. For example, when you run a site with PHP-FPM on Nginx, the response header might look like this:

X-Powered-By: PHP/8.2.12

This header reveals unnecessary details about your backend configuration. Attackers can use this information to target known vulnerabilities specific to that PHP version. Hiding it helps reduce your exposure to automated attacks and scanners.

Step-by-Step: Hide PHP Version in Nginx (Ubuntu)

Step 1: Disable the “X-Powered-By” Header in PHP

First, you need to tell PHP not to expose its version.
Open your PHP configuration file:

sudo nano /etc/php/8.2/fpm/php.ini

(Replace 8.2 with your PHP version if different.)

Find this line:

expose_php = On

Change it to:

expose_php = Off

Save and exit the file by pressing Ctrl + O, then Enter, and Ctrl + X.

Now, restart PHP-FPM to apply changes:

sudo systemctl restart php8.2-fpm

Step 2: Remove “Server Tokens” in Nginx

Next, prevent Nginx from showing version details.

Open the Nginx configuration file:

sudo nano /etc/nginx/nginx.conf

Find the http block and add the following lines inside it:

server_tokens off;

This hides the Nginx version from response headers.

Step 3: Restart Nginx

Once you’ve made the changes, restart the Nginx service:

sudo systemctl restart nginx

Step 4: Verify the Result

You can verify if the headers are hidden using the curl command:

curl -I https://yourdomain.com

You should no longer see:

X-Powered-By: PHP/8.x.x

or

Server: nginx/1.xx.x

If both are hidden – congratulations! Your Ubuntu server is now more secure.

Tip: Use Security Headers

To further improve your security, consider adding HTTP security headers in your Nginx configuration:

add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";

These headers help protect your website against clickjacking, XSS, and MIME-type sniffing attacks.

Security begins with small but impactful steps. Hiding your PHP version and Nginx tokens may seem minor, but they significantly reduce your server’s attack surface.

Keep your Ubuntu server and PHP packages updated, monitor your error logs, and regularly audit your HTTP headers for leaks. With these best practices, your web applications will remain safer and more professional.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *