By using this site you agree to the use of cookies by Brugbart and our partners.

Learn more

Removing X-Powered-By

Tutorial on how to remove X-Powered-By response header.

Edited: 2013-06-29 12:27

Sometimes servers send more headers than is really necessary for your application to function, one of these headers is called X-Powered-By. This header basically shows information about the server-sided technologies used.

There can be many reasons why you will want to hide it. Publicly displaying which PHP version you are using could potentially be a security risk, if a hacker is familiar with a known exploit in the version you are using. It is a rather big IF however – so if you want to hide it, do it to save bandwidth, or do it for fun :-)

Hiding PHP's X-Powered-By Header

Hiding the X-Powered-By header in PHP can be a matter of using the header function like done below.

header('X-Powered-By: ');

Delivering a blank header – of any type – usually removes it. But you can also disable the header in php.ini, to do that you need to edit php.ini, toggle the expose_php setting to off. I.e.

expose_php = off

You can also fill out the content of the header with your own little message, or perhaps the name of your custom CMS for awesomeness sake ;-)

header('X-Powered-By: Hacker!');

The location of PHP headers

When you are setting headers with PHP, it is important that you do so before any other output has been sent to the browser. In other words, before echo'a, and before the HTML is sent to the browser. I.e.

<?php
header('X-Powered-By: Hacker!');

// Body output comes after Headers
echo 'Hallo';
?>

Attempting to set headers after output has been sent, will result in an error like the below.

Warning: Cannot modify header information - headers already sent by (output started at /path/to/php/myfile.php:50) in /path/to/php/myfile.php on line 144