PHP reveals its presence on the server in a variety of ways: It may send an HTTP header (X-Powered-By: PHP), or append its name and version to Apache’s signature. In addition, there are easter egg URLs that return the PHP logo or some PHP authors, one of them is:
http://www.host.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Obviously there is no reason to let end users know about the server’s PHP version. Luckily, there is a switch in php.ini that will disable all of the above:
1 | expose_php = Off |