隐藏PHP的X-Powered-By头 [英] Hiding PHP's X-Powered-By header
问题描述
我知道在PHP中,它发送 X-Powered-By 标题以获得PHP版本。
我也知道通过附加一些校验和,您可以访问PHP的学分和一些随机图像(更多信息在这里)。
我也知道在php.ini中你可以打开 expose_php = off 。 p>
但是,这是我在几个网站上完成的工作,这就是使用
header('X-Powered-By:Alex');
当我查看标题时,我可以看到它现在是'Alex'而不是PHP版本。我的问题是,这是否会先发送之前的PHP标题(在它到达我的标头()之前,并且它是否可以被任何嗅探器程序检测到? PHP,在之前被发送回浏览器?
顺便说一下,这不是为了安全而隐晦,只是很好奇header是如何工作的在PHP中,只有在PHP遇到它的第一个输出语句时,才会发送头文件。
$ b $ b这包括第一个<?php 之前的任何内容。
这也是为什么setcookie发送警告,如果你尝试在输出某些东西后使用它:
警告:无法修改标题
信息 - 在
/path/to/php/file.php在线150上已经由
发送的头文件(输出开始于
/path/to/php/file.php:100) p>
请注意,如果 output buffering 正在使用中,因为输出不会被发送,直到运行适当的输出缓冲命令为止。
I know in PHP, it sends the X-Powered-By header to have the PHP version.
I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).
I also know in php.ini you can turn expose_php = off.
But here is something I have done on a few sites, and that is use
header('X-Powered-By: Alex');
When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header(), and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?
By the way, this is not for security by obscurity, just curious how headers work in PHP.
In PHP, headers aren't sent until PHP encounters its first output statement.
This includes anything before the first <?php.
This is also why setcookie sends throws a warning if you try to use it after something has been output:
Warning: Cannot modify header information - headers already sent by (output started at /path/to/php/file.php:100) in /path/to/php/file.php on line 150
Note that none of this applies if output buffering is in use, as the output will not be sent until the appropriate output buffering command is run.
这篇关于隐藏PHP的X-Powered-By头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
