Home arrow PHP arrow Page 4 - Secure PHP Programming

Hiding Configuration Details - PHP

Long before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Secure PHP Programming
  2. Configuring PHP Securely
  3. Other Security-Related Configuration Parameters
  4. Hiding Configuration Details
By: Apress Publishing
Rating: starstarstarstarstar / 1
August 12, 2010

print this article



Many programmers prefer to wear their decision to deploy open source software as a badge for the world to see. However, itís important to realize that every piece of information you release about your project may provide an attacker with vital clues that can ultimately be used to penetrate your server. That said, consider an alternative approach of letting your application stand on its own merits while keeping quiet about the technical details whenever possible. Although obfuscation is only a part of the total security picture, itís nonetheless a strategy that should always be kept in mind.

Hiding Apache

Apache outputs a server signature included within all document requests and within server-generated documents (e.g., a 500 Internal Server Error document). Two configuration directives are responsible for controlling this signature: ServerSignature and ServerTokens .

Apacheís ServerSignature Directive

The ServerSignature directive is responsible for the insertion of that single line of output pertaining to Apacheís server version, server name (set via the ServerName directive), port, and compiled-in modules. When enabled and working in conjunction with the ServerTokens directive (introduced next), itís capable of displaying output like this:

Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev Server at www.example.com Port 80

Chances are you would rather keep such information to yourself. Therefore, consider disabling this directive by setting it to Off .

Apacheís ServerTokens Directive

The ServerTokens directive determines which degree of server details is provided if the ServerSignature directive is enabled. Six options are available: Full , Major , Minimal , Minor , OS , and Prod . An example of each is given in Table 21-1.

Table 21-1. Options for the ServerTokens Directive

Option Example
Full Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev
Major Apache/2
Minimal Apache/2.0.59
Minor Apache/2.0
OS Apache/2.0.59 (Unix)
Prod Apache

Although this directive is moot if ServerSignature is disabled, if for some reason ServerSignature must be enabled, consider setting the directive to Prod .

Please check back next week for the continuation of the series.

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: