Home » Php » pci compliance – Turning expose_php OFF in php.ini

pci compliance – Turning expose_php OFF in php.ini

Posted by: admin April 23, 2020 Leave a comment


I have been advised that having expose_php = On in my php.ini is a security issue and is, therefor, not PCI compliant.

My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.

Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?

Should this be a seamless change or does this have the potential for problems?

How to&Answers:

That’s correct.

Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header.

While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection.

In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP.

In anycase, for them to rely on the “consumer’s” PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator.

Therefore, it shouldn’t be a problem turning it off.


There should be no negative side effects when you disable expose_php.

All it does is remove the X-Powered-By header and stop GET params from returning PHP credits and images.

Any third party application that relies on the header is dodgy. You can always spoof the header if required.


There is no security threat in any way, but exposing an outdated version of PHP may be an invitation for hackers to try and exploit well documented ‘holes’ in past versions.

Regarding third party services, they are platform independent and should not have to care about which version of PHP we are using. If needed we can set simply an empty header or like below.

header('X-Powered-By: Venu');


There is absolutely no harm in either having this option on or off.

Turning it off won’t add any security to your site though.
Those script-kiddie tools are so dumb that they never bother to tell one platform from another.

Not to mention that if your site is some framework/CMS based it is useless to hide PHP presence anyway.