On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:
-----Original Message-----
From: Mike Yrabedra [mailto:lists@323inc.com]
Sent: Friday, February 27, 2009 6:13 AM
To: modsec-users
Subject: [mod-security-users] Disable php_flag version?



Is there any way I can change ( or disable ) what PHP version is returned
when someone does a scan of my server?

[Ryan Barnett] The problem is that are so many ways that application version information data may leak out.  Check out some of the comments here - http://www.php.net/manual/en/security.hiding.php.  You might want something like "expose_php=Off" in your php.ini file.  ModSecurity can help to hid the php module info in the Server response header if you set the SecServerSignature directive.


But not in reverse proxy mode with mod_proxy. You have to use mod_header.

Regards

Elia