OWASP security recommendation hide php version from web server by default
I've noticed that in a default plesk installation the web server is configured to disclose php version. This could be exploited especially with a lot of websites running insecure php versions still.
I think it's not much trouble to implement this simple "security through obscurity" step to not disclose this information and help attackers detect vulnerabilities in PHP itself.
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
Bludau IT Services commented
it's not suitable to print in the http header the actual php version.
it's a attack surface - the "scanner" could see if php 5,7,8 is runing and in which version.
maybe put it in the php settings section of plesk, default "off".