We have a Win2008 server running IIS7 and php 5.3.17 installed.
For pentesting & other security purposes we would like to remove the header response: "X-Powered-By: PHP/5.3.17", so we've tried turn Off the "expose_php" option in the c:\php\php.ini file, and also installed the UrlScan 3.1 with its corresponding "RemoveServerHeader = 1" but this last urlscan appears to be only for IIS headers, also we modified web.config file with the below directive:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
Neither one of the solutions mentioned worked.
So, my big question is what else we can modify to remove this php header from the IIS server? It is quite annoying issue, because on other similar (win2008, IIS7, PHP5) server we just modified the php.ini file and it works fine!!!
We would really appreciate your comments and help, thanks in advance.
Best Answer
You need to set
expose_php=offin the PHP configuration.See https://stackoverflow.com/questions/2661799/removing-x-powered-by