Why is it important to remove% with% of response headers?
Does this prevent some kind of attack, or do you prevent "inside information" from the attacker?
Example:
X-Powered-By: PHP/5.5.9-1ubuntu4.11
And what are the possible ways in PHP to remove them?
It does not prevent or avoid, in fact, I believe it passes information beyond what is necessary informing the environment. I do not use this header as a security factor. You can either remove it from INI or from PHP itself.
Removing by INI : expose_php = Off
Removing by PHP : header_remove( 'X-Powered-By' )
The header_remove function is available for PHP 5> 5.3.0
See this old and still very useful article:
Apache Tips & Tricks: Hide PHP Version (X-Powered-By)
I would also like to add that in systems that I develop or participate this element of the header is always masked or removed. I say masked with the domain name for example.
This is because it is information that can bring insecurity. That is, masking your content by itself does not put the system safer only prevents
the remote host to realize the system and the PHP version that is running.
We all know that all versions in any software have their flaws and all are documented over the lifetime of it and PHP is no exception.
The analysis of this type of information allows you to understand what the flaws that this version specifically will have and from there may break some security holes with consequent attacks.
UPDATE:
It should also be noted that in elements CSS , JS or imagens belonging to a page that "mascar" this header element this can be viewed normally, so if the option is to mask the contents of this header element the same must be done for any type of elements that require% autonomous%.