Jump to content

Should you hide .php ?


SaranacLake

Recommended Posts

Does showing .php on the end of web pages pose any security risk?

My websites uses mod_rewrites pretty extensively, e.g.

	www.mysite.com/profiles/saranaclake
	www.mysite.com/subscribe/view-offers
	

 

However I still have a lot of web pages which are static pages that end with .php and I'm wondering if I should clean that up both for aesthetic reasons and for security...

 

 

Link to comment
Share on other sites

4 hours ago, SaranacLake said:

Does showing .php on the end of web pages pose any security risk?

By itself no. It helps to conceals the fact that you're using PHP, but (a) most attackers could find out quickly even if the extension was hidden, and (b) the actual security risk is in the code, not the language it's written in.

"Security through obscurity" is the term, and it's not good.

Besides the aesthetic reason, which IMO is actually the strongest reason, removing the extension means that your URLs are not strictly tied to the scripts supporting the page. If you had /subscribe/view-offers.php as a file then that's one thing, but maybe you move to a framework and now there's some fancy routing happening automatically and you have to tell it "/subscribe/view-offers.php" is the URL and it maps to (eg) the Subscribe controller (class) and its ViewOffers action (method). Or less likely is that you switch to .NET or Ruby or some other language. Either way, the .php extension becomes a nuisance.

Link to comment
Share on other sites

The extension doesn't even have to be .php either.  You could have myfile.notphp instead.   It's arbitrary.

All you have to do is edit the webserver configuration.

<FilesMatch ".+\.ph(ar|p|tml)|.+\.notphp$">
    SetHandler application/x-httpd-php
</FilesMatch>

Obscurity only really draws attention though.  I mean, if you're a spy trying to blend in, you're not gonna wear a hat saying "not a spy", hopefully.

http://mysite.com/index.notphp

Link to comment
Share on other sites

3 minutes ago, Zane said:

The extension doesn't even have to be .php either.  You could have myfile.notphp instead.   It's arbitrary.

All you have to do is edit the webserver configuration.


<FilesMatch ".+\.ph(ar|p|tml)|.+\.notphp$">
    SetHandler application/x-httpd-php
</FilesMatch>

Obscurity only really draws attention though.  I mean, if you're a spy trying to blend in, you're not gonna wear a hat saying "not a spy", hopefully.

http://mysite.com/index.notphp

Can I remove the .php using a mod_rewrite, or is that more resource intensive?

 

Where would the code you provided above go?

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.