隐藏 PHP 的 X-Powered-By 标头
我知道在 PHP 中,它发送 X-Powered-By
标头以获得 PHP 版本.
I know in PHP, it sends the X-Powered-By
header to have the PHP version.
我还知道,通过附加一些校验和,您可以获得 PHP 的积分和一些随机图像(更多信息在这里).
I also know by appending some checksums, you can get access to PHP's credits, and some random images (more info here).
我也知道在 php.ini 中你可以关闭 expose_php = off
.
I also know in php.ini you can turn expose_php = off
.
但这是我在几个网站上做过的事情,那就是使用
But here is something I have done on a few sites, and that is use
header('X-Powered-By: Alex');
当我查看标题时,我可以看到它现在是Alex"而不是 PHP 版本.我的问题是,这是否会首先发送前一个 PHP 标头(在它到达我的 header()
之前,它是否可以被任何嗅探器程序检测到?或者标头是否被 PHP '收集',之前 正在发送回浏览器?
When I view the headers, I can see that it is now 'Alex' instead of the PHP version. My question is, will this send the previous PHP header first (before it reaches my header()
, and is it detectable by any sniffer program? Or are headers 'collected' by PHP, before being sent back to the browser?
顺便说一句,这不是为了安全起见,只是好奇标头在 PHP 中是如何工作的.
By the way, this is not for security by obscurity, just curious how headers work in PHP.
推荐答案
在 PHP 中,直到 PHP 遇到第一个输出语句时才会发送标头.
In PHP, headers aren't sent until PHP encounters its first output statement.
这包括第一个 <?php
之前的任何内容.
This includes anything before the first <?php
.
这也是为什么 setcookie 如果您在输出某些内容后尝试使用它会引发警告:
This is also why setcookie sends throws a warning if you try to use it after something has been output:
警告:无法修改标题信息 - 已发送的标头(输出开始于/path/to/php/file.php:100) 在/path/to/php/file.php 在第 150 行
Warning: Cannot modify header information - headers already sent by (output started at /path/to/php/file.php:100) in /path/to/php/file.php on line 150
请注意,如果 输出缓冲 正在使用,则这些都不适用,因为在运行适当的输出缓冲命令.
Note that none of this applies if output buffering is in use, as the output will not be sent until the appropriate output buffering command is run.
相关文章