Long before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
Many programmers prefer to wear their decision to deploy open source software as a badge for the world to see. However, it’s important to realize that every piece of information you release about your project may provide an attacker with vital clues that can ultimately be used to penetrate your server. That said, consider an alternative approach of letting your application stand on its own merits while keeping quiet about the technical details whenever possible. Although obfuscation is only a part of the total security picture, it’s nonetheless a strategy that should always be kept in mind.
Hiding Apache
Apache outputs a server signature included within all document requests and within server-generated documents (e.g., a 500 Internal Server Error document). Two configuration directives are responsible for controlling this signature: ServerSignature and ServerTokens .
Apache’s ServerSignature Directive
The ServerSignature directive is responsible for the insertion of that single line of output pertaining to Apache’s server version, server name (set via the ServerName directive), port, and compiled-in modules. When enabled and working in conjunction with the ServerTokens directive (introduced next), it’s capable of displaying output like this:
-------------------------------------------- Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev Server at www.example.com Port 80 --------------------------------------------
Chances are you would rather keep such information to yourself. Therefore, consider disabling this directive by setting it to Off .
Apache’s ServerTokens Directive
The ServerTokens directive determines which degree of server details is provided if the ServerSignature directive is enabled. Six options are available: Full , Major , Minimal , Minor , OS , and Prod . An example of each is given in Table 21-1.
Table 21-1. Options for the ServerTokens Directive
Option
Example
Full
Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev
Major
Apache/2
Minimal
Apache/2.0.59
Minor
Apache/2.0
OS
Apache/2.0.59 (Unix)
Prod
Apache
Although this directive is moot if ServerSignature is disabled, if for some reason ServerSignature must be enabled, consider setting the directive to Prod .
Please check back next week for the continuation of the series.
