SaranacLake Posted October 5, 2019 Share Posted October 5, 2019 Does showing .php on the end of web pages pose any security risk? My websites uses mod_rewrites pretty extensively, e.g. www.mysite.com/profiles/saranaclake www.mysite.com/subscribe/view-offers However I still have a lot of web pages which are static pages that end with .php and I'm wondering if I should clean that up both for aesthetic reasons and for security... Quote Link to comment https://forums.phpfreaks.com/topic/309335-should-you-hide-php/ Share on other sites More sharing options...
requinix Posted October 5, 2019 Share Posted October 5, 2019 4 hours ago, SaranacLake said: Does showing .php on the end of web pages pose any security risk? By itself no. It helps to conceals the fact that you're using PHP, but (a) most attackers could find out quickly even if the extension was hidden, and (b) the actual security risk is in the code, not the language it's written in. "Security through obscurity" is the term, and it's not good. Besides the aesthetic reason, which IMO is actually the strongest reason, removing the extension means that your URLs are not strictly tied to the scripts supporting the page. If you had /subscribe/view-offers.php as a file then that's one thing, but maybe you move to a framework and now there's some fancy routing happening automatically and you have to tell it "/subscribe/view-offers.php" is the URL and it maps to (eg) the Subscribe controller (class) and its ViewOffers action (method). Or less likely is that you switch to .NET or Ruby or some other language. Either way, the .php extension becomes a nuisance. Quote Link to comment https://forums.phpfreaks.com/topic/309335-should-you-hide-php/#findComment-1570341 Share on other sites More sharing options...
Zane Posted October 6, 2019 Share Posted October 6, 2019 The extension doesn't even have to be .php either. You could have myfile.notphp instead. It's arbitrary. All you have to do is edit the webserver configuration. <FilesMatch ".+\.ph(ar|p|tml)|.+\.notphp$"> SetHandler application/x-httpd-php </FilesMatch> Obscurity only really draws attention though. I mean, if you're a spy trying to blend in, you're not gonna wear a hat saying "not a spy", hopefully. http://mysite.com/index.notphp Quote Link to comment https://forums.phpfreaks.com/topic/309335-should-you-hide-php/#findComment-1570345 Share on other sites More sharing options...
SaranacLake Posted October 6, 2019 Author Share Posted October 6, 2019 3 minutes ago, Zane said: The extension doesn't even have to be .php either. You could have myfile.notphp instead. It's arbitrary. All you have to do is edit the webserver configuration. <FilesMatch ".+\.ph(ar|p|tml)|.+\.notphp$"> SetHandler application/x-httpd-php </FilesMatch> Obscurity only really draws attention though. I mean, if you're a spy trying to blend in, you're not gonna wear a hat saying "not a spy", hopefully. http://mysite.com/index.notphp Can I remove the .php using a mod_rewrite, or is that more resource intensive? Where would the code you provided above go? Quote Link to comment https://forums.phpfreaks.com/topic/309335-should-you-hide-php/#findComment-1570346 Share on other sites More sharing options...
Barand Posted October 6, 2019 Share Posted October 6, 2019 https://www.php.net/manual/en/security.hiding.php Quote Link to comment https://forums.phpfreaks.com/topic/309335-should-you-hide-php/#findComment-1570353 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.