Wikibooks

PHP Programming/Secure HTTP headers

< PHP Programming
Cross Site Scripting Attacks PHP Programming
Secure HTTP headers 		Encryption

The HTTP header returned by a PHP script can reveal its security breaches.

Hide versions

edit

To avoid to be the target of the security breaches linked to a PHP or a web server version, it's better to hide them in the HTTP headers.

This is generally done in the server configuration files, but can also be realized in PHP: 

ini_set('expose_php', 'Off');
header('X-Powered-By: UnknownWebServer');

Other attacks

edit

The HTTP header injection can be prevented by configuration.

Example of protections: 

ini_set('register_globals', 'Off');

header('Content-Security-Policy "default-src \'self\'; style-src \'self\' \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\'; img-src \'self\' data:"');
header('X-Frame-Options "SAMEORIGIN" always');
header('X-Content-Type-Options nosniff');
header('Referrer-Policy: origin');
header('Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"');

Attention: a bad configuration can provoke cross-origin resource sharing (CORS) errors.


  Cross Site Scripting Attacks PHP Programming
Secure HTTP headers 		Encryption  
Retrieved from "https://en.wikibooks.org/w/index.php?title=PHP_Programming/Secure_HTTP_headers&oldid=4021383"