Home arrow PHP arrow Page 4 - Secure PHP Programming

Hiding Configuration Details - PHP

Long before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

TABLE OF CONTENTS:
  1. Secure PHP Programming
  2. Configuring PHP Securely
  3. Other Security-Related Configuration Parameters
  4. Hiding Configuration Details
By: Apress Publishing
Poor Best
Rating: starstarstarstarstar / 1
August 12, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Many programmers prefer to wear their decision to deploy open source software as a badge for the world to see. However, it’s important to realize that every piece of information you release about your project may provide an attacker with vital clues that can ultimately be used to penetrate your server. That said, consider an alternative approach of letting your application stand on its own merits while keeping quiet about the technical details whenever possible. Although obfuscation is only a part of the total security picture, it’s nonetheless a strategy that should always be kept in mind.

Hiding Apache

Apache outputs a server signature included within all document requests and within server-generated documents (e.g., a 500 Internal Server Error document). Two configuration directives are responsible for controlling this signature: ServerSignature and ServerTokens .

Apache’s ServerSignature Directive

The ServerSignature directive is responsible for the insertion of that single line of output pertaining to Apache’s server version, server name (set via the ServerName directive), port, and compiled-in modules. When enabled and working in conjunction with the ServerTokens directive (introduced next), it’s capable of displaying output like this:

--------------------------------------------
Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev Server at www.example.com Port 80
--------------------------------------------

Chances are you would rather keep such information to yourself. Therefore, consider disabling this directive by setting it to Off .

Apache’s ServerTokens Directive

The ServerTokens directive determines which degree of server details is provided if the ServerSignature directive is enabled. Six options are available: Full , Major , Minimal , Minor , OS , and Prod . An example of each is given in Table 21-1.

Table 21-1. Options for the ServerTokens Directive

Option Example
Full Apache/2.0.59 (Unix) DAV/2 PHP/6.0.0-dev
Major Apache/2
Minimal Apache/2.0.59
Minor Apache/2.0
OS Apache/2.0.59 (Unix)
Prod Apache

Although this directive is moot if ServerSignature is disabled, if for some reason ServerSignature must be enabled, consider setting the directive to Prod .

Please check back next week for the continuation of the series.



 
 
>>> More PHP Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
   

PHP ARTICLES

- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...
- PHP: Building Concrete Validators
- Sanitizing Input with PHP
- Executing Shell Commands with PHP
- Handling File Data with PHP
- File Security and Resources with PHP
- ArrayObject PHP Class Examples
- ArrayObject PHP Class: An Introduction
- Getting File System Data with PHP
Find More PHP Articles


© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 2 - Follow our Sitemap

Dev Shed Tutorial Topics: