- updating the security of PHP headers

Issue: #2795

- adding missing security headers

Issue: #2796

Author: curtismchale

CHANGELOG.md

@@ -0,0 +1,6 @@
+## 2026-04-16
+
+- Hardened HTTP response headers: set `expose_php = Off` in `etc/php.ini` to suppress the `X-Powered-By: PHP/x.x.x` header, added `Header always unset X-Powered-By` to `etc/apache-vhost.conf` as a belt-and-suspenders removal at the Apache level, and added five standard security headers (`X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `X-XSS-Protection`, `Permissions-Policy`) to the same vhost config. Enabled `mod_headers` unconditionally in `Dockerfile` to support all of the above.
+
+References: https://github.com/proudcity/wp-proudcity/issues/2795
+References: https://github.com/proudcity/wp-proudcity/issues/2796

Dockerfile

@@ -20,7 +20,7 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/* \
     && docker-php-ext-configure gd --with-jpeg \
     && docker-php-ext-install gd mysqli opcache bcmath \
-    && a2enmod rewrite expires
+    && a2enmod rewrite expires headers
 
 RUN pecl install mcrypt-1.0.6
 

etc/apache-vhost.conf

@@ -2,6 +2,12 @@
 	#ServerName www.example.com
 	#ServerAdmin webmaster@localhost
 	DocumentRoot /app/wordpress
+	Header always unset X-Powered-By
+	Header always set X-Content-Type-Options "nosniff"
+	Header always set X-Frame-Options "SAMEORIGIN"
+	Header always set Referrer-Policy "strict-origin-when-cross-origin"
+	Header always set X-XSS-Protection "1; mode=block"
+	Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
 
 	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 	# error, crit, alert, emerg.

etc/php.ini

@@ -371,7 +371,7 @@ zend.enable_gc = On
 ; threat in any way, but it makes it possible to determine whether you use PHP
 ; on your server or not.
 ; http://php.net/expose-php
-expose_php = On
+expose_php = Off
 
 ;;;;;;;;;;;;;;;;;;;
 ; Resource Limits ;