We can follow the below steps to remove the PHP X-Powered-By header from HTTP response for PHP 8.x apps on Linux App Service –
By default, PHP version is getting displayed as in the below screenshot-
Updating PHP Settings-
- Go to your KUDU site https://<sitename>.scm.azurewebsites.net.
- Select Bash or SSH from the top menu.
- In Bash/SSH, go to your "/home/site" directory.
- Create a directory called "ini" (i.e. mkdir ini)
- Change directories to "ini".
- We'll need to create an "ini" file to add our settings to. In this example, I'm using "settings.ini". There are no file editors such as Vi, Vim, or Nano so we'll simply use echo to add the settings to the file. I'm changing the expose_php setting to Off. Below is the command that I used to add the setting and create an "settings.ini" file if one doesn't already exist.
NOTE: If you already have an extensions.ini file, you can use the same command which will add the new setting to the file.
/home/site/ini>echo " expose_php = Off " >> settings.ini
If using SSH, you can use vi to create/edit the settings file using the following commands.
- vi settings.ini
- Press "i" on your keyboard to start editing and add the following.
expose_php = Off
3. Press "Esc", then ":wq!" and enter to save.
Add an Application Setting-
We'll now need to go to the Azure Portal and add an Application Setting to scan the "ini" directory
1) Go to the Azure Portal (https://portal.azure.com) and select your App Service Linux PHP application.
2) Select Application Settings for the app.
3) Under the Application settings section, press the "+ Add new setting".
4) For the App Setting Name, enter "PHP_INI_SCAN_DIR". For the value, enter "/usr/local/etc/php/conf.d:/home/site/ini"
Testing –
Go to kudu site and run the command below and you can verify that PHP header is removed.
CURL -I <site url pointing to a PHP script>
