Plesk for Linux
kb: how-to
ABT: Group B
Applicable to:
- Plesk for Linux
Question
How to remove/modify the header X-Powered-By for all websites hosted in Plesk for Linux?
# curl -I https://example.com
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 01 Jun 2017 00:00:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PleskLin
Answer
-
Install the extension Panel.ini editor to manage Plesk settings
-
Go to Extensions > My Extensions > Panel.ini Editor (the Open button) > the Editor tab add the following lines at the end of the file:
CONFIG_TEXT: [webserver]
xPoweredByHeader = off -
Click the Save button
-
Go to Tools & Settings > Diagnose & Repair and click repair for "Web & FTP Servers" to rebuild web server configuration.
Note: The same can be done via SSH by editing the file /usr/local/psa/admin/conf/panel.ini
Comments
15 comments
"Removing the X-Powered-By header"
This method does not work for me. I still recieve the X-Powered-By header...
Eather it's a painful work if you have a lot of domains. You should implement a toggle to hide this header same with php x-powered-by header, for security reasons, or just keep them away...
@Daniel Thanks for the feedback!
I've checked instructions on the test server and it works for me. Please provide more details. Have you reconfigured domains as per step 7?
If i have my custom templates, e.g. /usr/local/psa/admin/conf/templates/default/server.php
Will I have problems with future Plesk updates?
Or could it be that I will not benefit from further improvements?
Hello @Tobias,
Having a custom template is not an obstacle for future updates.
In case you will have any issue, feel free to contact Plesk Technical Support.
Thanks for that article! Works as described in Onyx 17.8.11 on Ubuntu
Beside that: It would be very very nice if Plesk can include a toggle in the website config GUI to disable such headers also when nginx works as proxy in front of apache
@Josef Glatz,
Hello! Thank you for the feedback.
You may share your idea on a special resource: https://plesk.uservoice.com/forums/184549-feature-suggestions
Are you sure, that your guide above is correct? Why should I remove
<?php foreach ((array)$VAR->domain->physicalHosting->headers as list($name, $value)): ?>
add_header <?=$VAR->quote([$name, $value])?>;
<?php endforeach ?>
and not only the line
add_header X-Powered-By PleskLin;
in
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php?It looks like the lines above set all other headers chosen in the GUI and last one just set the X-Powerd-By header? So if removing all 4 lines, no own set headers will be written as well?
Hello @Christian Heutger,
Thank you for the feedback!
The article was reworked
I followed the whole procedure, including " /usr/local/psa/admin/sbin/httpdmng --reconfigure-all " (twice) and still see "X-Powered-By". Diagnose & Repair says
Restarted everything, but nope :-(.
Any help? A security officier from customer wants us to remove it.
Hello Patrick Jansen
This warning is expected because a custom template is created in the proposed steps.
The most probable cause is that templates were sent incorrectly. Make sure that all 3 rows were removed in all 3 files as per the instruction.
In case this still won't work for you, consider submitting a support request.
Pleas vote here if you like it:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/37632988-easy-removal-x-powered-by-http-headers
This new panel.ini feature is first available on Plesk 18.0.31.
For older Plesk Obsidian versions like 18.0.30 there should be still the old guide to copy the webserver templates.
May I know how to remove "Location" in header?
works - but doesn't show in the panel.ini as an option under viewer.
below 18.0.31... and for the higher version ?
Please sign in to leave a comment.