This article is applicable to VPS or Dedicated server owners which use Plesk (Linux) as their hosting management system.
When you host your websites with Plesk (Linux), it by default adds “X-Powered-By” response headers to each HTTP request. This problem usually is server-wide, meaning it could affect all of your websites if you have a Plesk server.
The presence of these headers is not only a security flaw, but it also adds additional bytes to each HTTP request, when a visitor is viewing your site content. And by “each” I mean that every image, javascript or css file downloaded from your website will be returned with these headers – which all of course sums up.
Check if your server is affected by this problem
#1 Open your website via Google Chrome browser, right click on the window and press on “Inspect” – this will open up Google Chrome Developer Tools.
#2 Click on the “Network” tab, then choose “Doc” in the request filter and select the first HTML document loaded from your website domain
#3 Now look at the “Headers” tab of the particular request and inspect the “Response Headers” section. Look for “X-Powered-By” headers – if you see at least one of these, you know for sure – this security flaw affects you.
How to remove X-Powered-By headers from a Plesk server
First login to your Plesk server via SSH as a root user.
Remove X-Powered-By: PleskLin header
For this you will need to edit the Plesk settings file (panel.ini). Use the linux command below to open this file:
plesk conf panel.iniNow, as with the usual “vi” editor, press the “INSERT” key to edit the file contents and append these lines to the file (or just the xPoweredByHeader variable under the [webserver] section if it already exists on this file):
[webserver]
xPoweredByHeader = offExit the editing mode by pressing an ESC key. Type in the console :wq! afterwards and press enter to save the file and exit the file editor.
As a final step – recreate the web-server configuration for domains with this command:
plesk repair web -domains-onlyRemove X-Powered-By: PHP header
Check what kind of PHP versions are installed on your server. This command should output something like “8.1, 8.2, 8.3”:
dir /opt/plesk/php/
Note that for each PHP version you will need to edit PHP configuration file separately.
Repeat these further steps for each of the listed PHP versions:
#1 Check if a PHP version has the “expose_php” directive enabled – use this command, but replace the X.X in it with a PHP version which is installed on your server:
cat /opt/plesk/php/X.X/etc/php.ini | grep expose_php#2 If you see it enabled, disable it by changing this directive in the PHP configuration file. Open php.ini file as usual via the “vi” editor (do not forget to change the X.X in this linux command with an actual PHP version on your server):
vi /opt/plesk/php/X.X/etc/php.ini#3 When on the “vi” editor, first type /expose_php and press [ENTER] to find the corresponding line you need to change, then press an [INSERT] key and change the value of this directive from “On” to “Off“. After you’re done, press an [ESC] key, type :wq! and press the [ENTER] key to save the changes and exit the editor.
Reboot your server
Last step – restart your server with a “reboot” command. You will experience a little bit of downtime but this will be the easiest way to reload PHP configuration for all websites.