Is there a way to mask my real server technology say from PHP to show up as Python when checked by sites like http://builtwith.com? Or at least to not show anything at all?
Asked
Active
Viewed 7,217 times
4
-
8Since this is tagged `security` I have to point out that "masking" this information will not in any significant way increase security! – deceze May 16 '11 at 13:40
-
you want to hide .php extension for hide that you have devloped site in php ? – Vishwanath Dalvi May 16 '11 at 13:44
-
URL? Google doesn't know of any site named "buildwith". – Ben Voigt May 16 '11 at 13:44
-
Not sure then why but here is the site builtwith.com works fine I just seemed to have misspelled it – PT Desu May 16 '11 at 13:46
-
3http://builtwith.com/removals.aspx would hide everything! – gary May 16 '11 at 23:31
-
The removals url has changed: http://builtwith.com/removals – falsarella Apr 15 '15 at 00:18
5 Answers
5
Assuming you're using apache, you can change the default "tell all" behaviour with the ServerTokens and ServerSignature directives:
ServerTokens Prod
ServerSignature Off
This'll remove identifying marks from error pages, and only return the server name with HTTP requests, instead of all of your installed modules. Here's an example with ServerTokens commented out:
14:45:52 bartley:~ > curl -I http://www.test.com
HTTP/1.1 200 OK
Date: Mon, 16 May 2011 13:54:48 GMT
Server: Apache/2.2.15 (EL) DAV/2 PHP/5.2.16 mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
Accept-Ranges: bytes
Content-Length: 16457
Cache-Control: max-age=300, must-revalidate
Expires: Mon, 16 May 2011 13:59:48 GMT
Vary: Accept-Encoding,Cookie
Connection: close
Content-Type: text/html; charset=UTF-8
..and here's one with it set to Prod:
14:44:25 bartley:~ > curl -I http://www.test.com
HTTP/1.1 200 OK
Date: Mon, 16 May 2011 13:54:19 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 16457
Cache-Control: max-age=300, must-revalidate
Expires: Mon, 16 May 2011 13:59:19 GMT
Vary: Accept-Encoding,Cookie
Connection: close
Content-Type: text/html; charset=UTF-8
EDIT: As @Marc points out, there is also a HTTP header that PHP can add an X-Powered-By header to. This can be disabled by adding expose_php = Off in your php.ini.
Nick
- 6,967
- 2
- 34
- 56
-
1There is the `X-Powered-By` header, which is controlled by `expose_php` in php.ini. Apache's configuration is NOT the only place that PHP can expose itself. – Marc B May 16 '11 at 14:49
4
The link provided by builtwith.com to remove your site from their lookup service is:
(Credit due to the person with user name "gary" who originally posted this link as a comment on the question; however, the link has since changed and it is better posted in an answer so it can be easily seen.)
Community
- 1
- 1
authentictech
- 422
- 6
- 23
-
1Keep in mind that removing this info from one site (like builtwith) still leaves a lot of other sites scraping the same information. So the best option is to prevent this data from being leaked at the server level. – jtlindsey Aug 13 '21 at 19:28
3
I've seen this question asked with many other packages, the result is always that hiding what something is running, that's publicly accessible, is not really possible, and not worth the time - time's better spent tightening real security issues like keeping private directories private etc, correct set-up and keeping the software up to date
Jodes
- 14,118
- 26
- 97
- 156
1
If you are using LiteSpeed, you can set the Server and X-Powered-By headers to anything you like, using either .htaccess or PHP.
.htaccess
Header always set X-Powered-By Something
Header always set Server Something
PHP
header('X-Powered-By: Something');
header('Server: Something');
Mike Rockétt
- 8,947
- 4
- 45
- 81
0
I think they test some path those are unique path for CMSs and index your website info in their databases. I try to use "IP Deny Manager" in Cpanel to denny IP of those domains in order to prevents from unwanted indexing by those sites.
Bo Persson
- 90,663
- 31
- 146
- 203
Behzad-Ravanbakhsh
- 952
- 10
- 12