My machines routinely get scanned by Qualys and other scanners that report my supported and patched version of php as wildly out of date (even though they're patched quarterly, I get flagged on ancient CVE's for php and apache). I'm rather sick of even advertising that I've got php enabled on these machines. How do they know it's enable if they don't have an agent on my devices?
Is there some hidden page that I can block or a header from being returned?
I have 'expose_php = On' in my php.ini, I'm guessing I can turn that off, but I don't see what it changes because I don't see what I've seen as the expected "powered by php" message when I do a curl -I
against this machine.
I'd also like to not advertise any other modules I may or may not have enabled in apache.