Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
394 views
in Technique[技术] by (71.8m points)

pci compliance - Turning expose_php OFF in php.ini

I have been advised that having expose_php = On in my php.ini is a security issue and is, therefor, not PCI compliant.

My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.

Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?

Should this be a seamless change or does this have the potential for problems?

question from:https://stackoverflow.com/questions/9617579/turning-expose-php-off-in-php-ini

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

That's correct.

Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header.

While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection.

In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP.

In anycase, for them to rely on the "consumer's" PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator.

Therefore, it shouldn't be a problem turning it off.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...