PHP Programming/Secure HTTP headers

From Wikibooks, open books for an open world
Jump to navigation Jump to search

The HTTP header returned by a PHP script can reveal its security breaches.

Hide versions[edit | edit source]

To avoid to be the target of the security breaches linked to a PHP or a web server version, it's better to hide them in the HTTP headers.

This is generally done in the server configuration files, but can also be realized in PHP:

ini_set('expose_php', 'Off');
header('X-Powered-By: UnknownWebServer');

Other attacks[edit | edit source]

The HTTP header injection can be prevented by configuration.

Example of protections:

ini_set('register_globals', 'Off');

header('Content-Security-Policy "default-src \'self\'; style-src \'self\' \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\'; img-src \'self\' data:"');
header('X-Frame-Options "SAMEORIGIN" always');
header('X-Content-Type-Options nosniff');
header('Referrer-Policy: origin');
header('Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"');

Attention: a bad configuration can provoke cross-origin resource sharing (CORS) errors.