Closed horst-n closed 8 years ago
This is intentional because not setting the x-powered-by header just leaves it for PHP to set. A blank x-powered-by header enables you to prevent the server from sending PHP version information. For instance, if no x-powered-by header is sent, many servers will fallback to something like "X-Powered-By: PHP/5.6.2". That's why we provide the false option so you can prevent that.
On Tue, Sep 20, 2016 at 9:52 AM, horst notifications@github.com wrote:
This line 142 in ProcessPageView.module https://github.com/ryancramerdesign/ProcessWire/blob/devns/wire/modules/Process/ProcessPageView.module#L142 needs to be corrected: if($config->usePoweredBy !== null) header('X-Powered-By:' . ($config->usePoweredBy ? ' ProcessWire CMS' : ''));
It should be more like this: if($config->usePoweredBy) header('X-Powered-By: ProcessWire CMS');
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ryancramerdesign/ProcessWire/issues/2043, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUCUCHco6Y5A3bRYzOPmzEeOD1fJgvTks5qr-UlgaJpZM4KBprf .
I'd still would like to see a change, that false does prevent the header() call and only ''
will set it to blank. I think that's much cleaner in intend than differentiating between null and false.
This is intentional because not setting the x-powered-by header just leaves it for PHP to set.
Should that not be the responsibility of ther server owner via the expose_php
config option? Or is it intentional specifically because there are, perhaps, many who cannot access that option nor set it in .htaccess
?
We'd prefer you keep this setting at true when possible, as it's used by tools like w3techs cms usage stats and such, and that helps the project. But you can use null to prevent PW from sending anything here. PW won't know if a powered-by header has already been sent by the server, so the only way to really ensure no server info is sent by the header is to send a blank one (which would override the server one). That's what the false option is for. This configuration option has already been this way for awhile, and behaves as intended, so not looking to change it. But I'll update the documentation for it to make it clear about the null option.
This line 142 in ProcessPageView.module needs to be corrected:
if($config->usePoweredBy !== null) header('X-Powered-By:' . ($config->usePoweredBy ? ' ProcessWire CMS' : ''));
It should be more like this:
if($config->usePoweredBy) header('X-Powered-By: ProcessWire CMS');