Applicable to:
- Plesk for Linux
Question
How to remove/modify the header X-Powered-By for all websites hosted in Plesk for Linux?
# curl -I https://example.com
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 01 Jun 2017 00:00:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PleskLin
Answer
Note: This solution is available starting from Plesk Obsidian 18.0.31:
How to update Plesk Obsidian to the latest build
-
Install the extension Panel.ini editor to manage Plesk settings
-
Go to Extensions > My Extensions > Panel.ini Editor (the Open button) > the Editor tab add the following lines at the end of the file:
CONFIG_TEXT: [webserver]
xPoweredByHeader = off -
Click the Save button
-
Go to Tools & Settings > Diagnose & Repair and click repair for "Web & FTP Servers" to rebuild web server configuration.
Note: The same can be done via SSH by editing the file /usr/local/psa/admin/conf/panel.ini
The following examples describe how to remove/modify the X-Powered-By header for Plesk versions below 18.0.31:
Warning: This guide is intended for Plesk administrators with SSH access to the server. If you are a domain owner, please contact your service provider for assistance with removing/changing the headers.
Note: The following steps are only working with Apache. When Nginx is installed, it's possible to modify the panel.ini file as described in the previous accordion to disable the header server-wide.
-
Go to Domains > example.com > Apache & Nginx Settings > Add the following directive in Additional directives for HTTP and Additional directives for HTTPS > Click OK to apply changes:
CONFIG_TEXT: Header unset X-Powered-By
-
Connect to a Plesk server via SSH.
-
Create a directory for custom templates:
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain
-
Copy default templates to the created directory:
# cp /usr/local/psa/admin/conf/templates/default/server.php /usr/local/psa/admin/conf/templates/custom
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxForwarding.php /usr/local/psa/admin/conf/templates/custom/domain
-
Modify custom templates:
Note: If you want to use two or more words separated by space in the X-Powered-By header (For example, X-Powered-By: My custom header), put these words in quotes. Otherwise, the following error will appear: Template_Exception: nginx: [emerg] invalid number of arguments in "add_header" directive.
-
Open the file
/usr/local/psa/admin/conf/templates/custom/server.phpin a text editor (for example, vi editor) and change the value of the X-Powered-By header to your own. Save the changes and close the file. -
Open the file
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.phpin a text editor and change the value of the X-Powered-By header to your own. Save the changes and close the file. -
Open the file
/usr/local/psa/admin/conf/templates/custom/domain/nginxForwarding.phpin a text editor and change the value of the X-Powered-By header to your own. Save the changes and close the file.
-
-
Verify the changes. The output should look as follows:
# grep -ir X-Powered-By /usr/local/psa/admin/conf/templates/custom
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php: add_header X-Powered-By "My custom header";
/usr/local/psa/admin/conf/templates/custom/domain/nginxForwarding.php: add_header X-Powered-By "My custom header";
/usr/local/psa/admin/conf/templates/custom/server.php: Header add "My custom header"Rebuild configuration files of all domains:
Note: If there are 300+ domains on the server, run this command during the maintenance hours.
# /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
-
Verify that the header has been changed:
# curl -I http://example.com
OR
# curl -I https://example.com
Comments
14 comments
"Removing the X-Powered-By header"
This method does not work for me. I still recieve the X-Powered-By header...
Eather it's a painful work if you have a lot of domains. You should implement a toggle to hide this header same with php x-powered-by header, for security reasons, or just keep them away...
@Daniel Thanks for the feedback!
I've checked instructions on the test server and it works for me. Please provide more details. Have you reconfigured domains as per step 7?
If i have my custom templates, e.g. /usr/local/psa/admin/conf/templates/default/server.php
Will I have problems with future Plesk updates?
Or could it be that I will not benefit from further improvements?
Hello @Tobias,
Having a custom template is not an obstacle for future updates.
In case you will have any issue, feel free to contact Plesk Technical Support.
Thanks for that article! Works as described in Onyx 17.8.11 on Ubuntu
Beside that: It would be very very nice if Plesk can include a toggle in the website config GUI to disable such headers also when nginx works as proxy in front of apache
@Josef Glatz,
Hello! Thank you for the feedback.
You may share your idea on a special resource: https://plesk.uservoice.com/forums/184549-feature-suggestions
Are you sure, that your guide above is correct? Why should I remove
<?php foreach ((array)$VAR->domain->physicalHosting->headers as list($name, $value)): ?>
add_header <?=$VAR->quote([$name, $value])?>;
<?php endforeach ?>
and not only the line
add_header X-Powered-By PleskLin;
in
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php?It looks like the lines above set all other headers chosen in the GUI and last one just set the X-Powerd-By header? So if removing all 4 lines, no own set headers will be written as well?
Hello @Christian Heutger,
Thank you for the feedback!
The article was reworked
I followed the whole procedure, including " /usr/local/psa/admin/sbin/httpdmng --reconfigure-all " (twice) and still see "X-Powered-By". Diagnose & Repair says
Restarted everything, but nope :-(.
Any help? A security officier from customer wants us to remove it.
Hello Patrick Jansen
This warning is expected because a custom template is created in the proposed steps.
The most probable cause is that templates were sent incorrectly. Make sure that all 3 rows were removed in all 3 files as per the instruction.
In case this still won't work for you, consider submitting a support request.
Pleas vote here if you like it:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/37632988-easy-removal-x-powered-by-http-headers
This new panel.ini feature is first available on Plesk 18.0.31.
For older Plesk Obsidian versions like 18.0.30 there should be still the old guide to copy the webserver templates.
May I know how to remove "Location" in header?
works - but doesn't show in the panel.ini as an option under viewer.
Please sign in to leave a comment.