Jump to content
MDDHosting Forums

ServerSignature Off and ServerTokens Prod

skunkbad

By skunkbad
in Web Hosting

 Share

Recommended Posts

skunkbad Member

skunkbad

Posted
Posted
I'm in the process of helping one of my customers pass their PCI compliance scan. They are currently failing due to PHP revealing information about itself, and in order to pass we need to use ServerSignature Off and ServerTokens Prod php_value expose_php Off . Normally on an Apache server, I'd put this in the .htaccess file, but this doesn't work on Litespeed. Anybody know of a solution for Litespeed?
Link to comment
Share on other sites
Michael D. Elite Member

Michael D.

Posted
Posted

  1. PCI Compliance is near impossible to reach in a shared/reseller/semi-dedicated environment.
  2. For PCI Compliance we usually recommend at least a VPS but usually a Dedicated server.
  3. LiteSpeed runs the same PHP Binaries that Apache does, so the same commands should work. Open a ticket letting us know what you're trying and we can troubleshoot it.

Link to comment
Share on other sites
skunkbad Member

skunkbad

Posted
  • Author
Posted

  1. PCI Compliance is near impossible to reach in a shared/reseller/semi-dedicated environment.
  2. For PCI Compliance we usually recommend at least a VPS but usually a Dedicated server.
  3. LiteSpeed runs the same PHP Binaries that Apache does, so the same commands should work. Open a ticket letting us know what you're trying and we can troubleshoot it.

I used header('X-Powered-By:') in an init type hook of the app, and the header is removed from all pages. Same effect as expose_php = Off (I think).

 

The problem with VPS or dedicated is that it is expensive, and if a customer doesn't pass, the extra fee they have to pay is less than the cost of VPS/Dedicated. I've had success passing PCI compliance scans on shared hosts before. It's going to be a while before I handle this issue. That's why I didn't open up a support ticket.

Link to comment
Share on other sites
Michael D. Elite Member

Michael D.

Posted
Posted

I used header('X-Powered-By:') in an init type hook of the app, and the header is removed from all pages. Same effect as expose_php = Off (I think).

 

The problem with VPS or dedicated is that it is expensive, and if a customer doesn't pass, the extra fee they have to pay is less than the cost of VPS/Dedicated. I've had success passing PCI compliance scans on shared hosts before. It's going to be a while before I handle this issue. That's why I didn't open up a support ticket.

Just open a ticket whenever you're ready/need to :)
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...