ryancramerdesign / ProcessWire

Our repository has moved to https://github.com/processwire – please head there for the latest version.
https://processwire.com
Other
727 stars 199 forks source link

$config->usePoweredBy sends empty header when set to false! Only setting to NULL disables it. #2043

Closed horst-n closed 8 years ago

horst-n commented 8 years ago

This line 142 in ProcessPageView.module needs to be corrected: if($config->usePoweredBy !== null) header('X-Powered-By:' . ($config->usePoweredBy ? ' ProcessWire CMS' : ''));

It should be more like this: if($config->usePoweredBy) header('X-Powered-By: ProcessWire CMS');

ryancramerdesign commented 8 years ago

This is intentional because not setting the x-powered-by header just leaves it for PHP to set. A blank x-powered-by header enables you to prevent the server from sending PHP version information. For instance, if no x-powered-by header is sent, many servers will fallback to something like "X-Powered-By: PHP/5.6.2". That's why we provide the false option so you can prevent that.

On Tue, Sep 20, 2016 at 9:52 AM, horst notifications@github.com wrote:

This line 142 in ProcessPageView.module https://github.com/ryancramerdesign/ProcessWire/blob/devns/wire/modules/Process/ProcessPageView.module#L142 needs to be corrected: if($config->usePoweredBy !== null) header('X-Powered-By:' . ($config->usePoweredBy ? ' ProcessWire CMS' : ''));

It should be more like this: if($config->usePoweredBy) header('X-Powered-By: ProcessWire CMS');

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ryancramerdesign/ProcessWire/issues/2043, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUCUCHco6Y5A3bRYzOPmzEeOD1fJgvTks5qr-UlgaJpZM4KBprf .

LostKobrakai commented 8 years ago

I'd still would like to see a change, that false does prevent the header() call and only '' will set it to blank. I think that's much cleaner in intend than differentiating between null and false.

mikerockett commented 8 years ago

This is intentional because not setting the x-powered-by header just leaves it for PHP to set.

Should that not be the responsibility of ther server owner via the expose_php config option? Or is it intentional specifically because there are, perhaps, many who cannot access that option nor set it in .htaccess?

ryancramerdesign commented 8 years ago

We'd prefer you keep this setting at true when possible, as it's used by tools like w3techs cms usage stats and such, and that helps the project. But you can use null to prevent PW from sending anything here. PW won't know if a powered-by header has already been sent by the server, so the only way to really ensure no server info is sent by the header is to send a blank one (which would override the server one). That's what the false option is for. This configuration option has already been this way for awhile, and behaves as intended, so not looking to change it. But I'll update the documentation for it to make it clear about the null option.