Hiding PHP's X-Powered-By header

You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.

PHP first compiles everything (including which headers have which values ) and then start the output, not vice-versa.

PHP is also detectable with its own easter eggs, you can read about this topic here : PHP Easter Eggs


See Apache Tips & Tricks: Hide PHP version (X-Powered-By)

Ups… As we can see PHP adds its own banner:

X-Powered-By: PHP/5.1.2-1+b1…

Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.

By default expose_php is set to On.

In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing expose_php On and set it to Off:

expose_php = Off

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.


In PHP, headers aren't sent until PHP encounters its first output statement.

This includes anything before the first <?php.

This is also why setcookie sends throws a warning if you try to use it after something has been output:

Warning: Cannot modify header information - headers already sent by (output started at /path/to/php/file.php:100) in /path/to/php/file.php on line 150

Note that none of this applies if output buffering is in use, as the output will not be sent until the appropriate output buffering command is run.