CINXE.COM
PHP: Hiding PHP - Manual
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>PHP: Hiding PHP - Manual </title> <link rel="icon" type="image/svg+xml" sizes="any" href="https://www.php.net/favicon.svg?v=2"> <link rel="icon" type="image/png" sizes="196x196" href="https://www.php.net/favicon-196x196.png?v=2"> <link rel="icon" type="image/png" sizes="32x32" href="https://www.php.net/favicon-32x32.png?v=2"> <link rel="icon" type="image/png" sizes="16x16" href="https://www.php.net/favicon-16x16.png?v=2"> <link rel="shortcut icon" href="https://www.php.net/favicon.ico?v=2"> <link rel="search" type="application/opensearchdescription+xml" href="http://php.net/phpnetimprovedsearch.src" title="Add PHP.net search"> <link rel="alternate" type="application/atom+xml" href="https://www.php.net/releases/feed.php" title="PHP Release feed"> <link rel="alternate" type="application/atom+xml" href="https://www.php.net/feed.atom" title="PHP: Hypertext Preprocessor"> <link rel="canonical" href="https://www.php.net/manual/en/security.hiding.php"> <link rel="shorturl" href="https://www.php.net/manual/en/security.hiding.php"> <link rel="alternate" href="https://www.php.net/manual/en/security.hiding.php" hreflang="x-default"> <link rel="contents" href="https://www.php.net/manual/en/index.php"> <link rel="index" href="https://www.php.net/manual/en/security.php"> <link rel="prev" href="https://www.php.net/manual/en/security.variables.php"> <link rel="next" href="https://www.php.net/manual/en/security.current.php"> <link rel="alternate" href="https://www.php.net/manual/en/security.hiding.php" hreflang="en"> <link rel="alternate" href="https://www.php.net/manual/de/security.hiding.php" hreflang="de"> <link rel="alternate" href="https://www.php.net/manual/es/security.hiding.php" hreflang="es"> <link rel="alternate" href="https://www.php.net/manual/fr/security.hiding.php" hreflang="fr"> <link rel="alternate" href="https://www.php.net/manual/it/security.hiding.php" hreflang="it"> <link rel="alternate" href="https://www.php.net/manual/ja/security.hiding.php" hreflang="ja"> <link rel="alternate" href="https://www.php.net/manual/pt_BR/security.hiding.php" hreflang="pt_BR"> <link rel="alternate" href="https://www.php.net/manual/ru/security.hiding.php" hreflang="ru"> <link rel="alternate" href="https://www.php.net/manual/tr/security.hiding.php" hreflang="tr"> <link rel="alternate" href="https://www.php.net/manual/uk/security.hiding.php" hreflang="uk"> <link rel="alternate" href="https://www.php.net/manual/zh/security.hiding.php" hreflang="zh"> <link rel="stylesheet" type="text/css" href="/cached.php?t=1707321815&f=/fonts/Fira/fira.css" media="screen"> <link rel="stylesheet" type="text/css" href="/cached.php?t=1707321815&f=/fonts/Font-Awesome/css/fontello.css" media="screen"> <link rel="stylesheet" type="text/css" href="/cached.php?t=1732428602&f=/styles/theme-base.css" media="screen"> <link rel="stylesheet" type="text/css" href="/cached.php?t=1730558402&f=/styles/theme-medium.css" media="screen"> <base href="https://www.php.net/manual/en/security.hiding.php"> <meta name="Description" content="PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world." /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@official_php" /> <meta name="twitter:title" content="PHP: Hypertext Preprocessor" /> <meta name="twitter:description" content="PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world." /> <meta name="twitter:creator" content="@official_php" /> <meta name="twitter:image:src" content="https://www.php.net/images/meta-image.png" /> <meta itemprop="name" content="PHP: Hypertext Preprocessor" /> <meta itemprop="description" content="PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world." /> <meta itemprop="image" content="https://www.php.net/images/meta-image.png" /> <meta property="og:image" content="https://www.php.net/images/meta-image.png" /> <meta property="og:description" content="PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world." /> <link href="https://fosstodon.org/@php" rel="me" /> </head> <body class="docs "> <nav class="navbar navbar-fixed-top"> <div class="navbar__inner"> <a href="/" aria-label="PHP Home" class="navbar__brand"> <img src="/images/logos/php-logo-white.svg" aria-hidden="true" width="80" height="40" > </a> <div id="navbar__offcanvas" tabindex="-1" class="navbar__offcanvas" aria-label="Menu" > <button id="navbar__close-button" class="navbar__icon-item navbar_icon-item--visually-aligned navbar__close-button" > <svg xmlns="http://www.w3.org/2000/svg" width="24" viewBox="0 0 24 24" fill="currentColor"><path d="M19,6.41L17.59,5L12,10.59L6.41,5L5,6.41L10.59,12L5,17.59L6.41,19L12,13.41L17.59,19L19,17.59L13.41,12L19,6.41Z" /></svg> </button> <ul class="navbar__nav"> <li class="navbar__item"> <a href="/downloads.php" class="navbar__link " > Downloads </a> </li> <li class="navbar__item"> <a href="/docs.php" aria-current="page" class="navbar__link navbar__link--active " > Documentation </a> </li> <li class="navbar__item"> <a href="/get-involved.php" class="navbar__link " > Get Involved </a> </li> <li class="navbar__item"> <a href="/support.php" class="navbar__link " > Help </a> </li> <li class="navbar__item"> <a href="/releases/8.4/index.php" class="navbar__link navbar__release" > <img src="/images/php8/logo_php8_4.svg" alt="PHP 8.4"> </a> </li> </ul> </div> <div class="navbar__right"> <!-- Desktop default search --> <form action="/manual-lookup.php" class="navbar__search-form" > <label for="navbar__search-input" aria-label="Search docs"> <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <circle cx="11" cy="11" r="8"></circle> <line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </label> <input type="search" name="pattern" id="navbar__search-input" class="navbar__search-input" placeholder="Search docs" accesskey="s" > <input type="hidden" name="scope" value="quickref"> </form> <!-- Desktop encanced search --> <button id="navbar__search-button" class="navbar__search-button" hidden > <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <circle cx="11" cy="11" r="8"></circle> <line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> Search docs </button> <!-- Mobile default items --> <a id="navbar__search-link" href="/lookup-form.php" aria-label="Search docs" class="navbar__icon-item navbar__search-link" > <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <circle cx="11" cy="11" r="8"></circle> <line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </a> <a id="navbar__menu-link" href="/menu.php" aria-label="Menu" class="navbar__icon-item navbar_icon-item--visually-aligned navbar_menu-link" > <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="currentColor" > <path d="M3,6H21V8H3V6M3,11H21V13H3V11M3,16H21V18H3V16Z" /> </svg> </a> <!-- Mobile enhanced items --> <button id="navbar__search-button-mobile" aria-label="Search docs" class="navbar__icon-item navbar__search-button-mobile" hidden > <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <circle cx="11" cy="11" r="8"></circle> <line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </button> <button id="navbar__menu-button" aria-label="Menu" class="navbar__icon-item navbar_icon-item--visually-aligned" hidden > <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="currentColor" > <path d="M3,6H21V8H3V6M3,11H21V13H3V11M3,16H21V18H3V16Z" /> </svg> </button> </div> <div id="navbar__backdrop" class="navbar__backdrop" ></div> </div> <div id="flash-message"></div> </nav> <div class="headsup"><a href='/conferences/index.php#2024-12-03-1'>PHP Conference Nagoya 2025</a></div> <nav id="trick"><div><dl> <dt><a href='/manual/en/getting-started.php'>Getting Started</a></dt> <dd><a href='/manual/en/introduction.php'>Introduction</a></dd> <dd><a href='/manual/en/tutorial.php'>A simple tutorial</a></dd> <dt><a href='/manual/en/langref.php'>Language Reference</a></dt> <dd><a href='/manual/en/language.basic-syntax.php'>Basic syntax</a></dd> <dd><a href='/manual/en/language.types.php'>Types</a></dd> <dd><a href='/manual/en/language.variables.php'>Variables</a></dd> <dd><a href='/manual/en/language.constants.php'>Constants</a></dd> <dd><a href='/manual/en/language.expressions.php'>Expressions</a></dd> <dd><a href='/manual/en/language.operators.php'>Operators</a></dd> <dd><a href='/manual/en/language.control-structures.php'>Control Structures</a></dd> <dd><a href='/manual/en/language.functions.php'>Functions</a></dd> <dd><a href='/manual/en/language.oop5.php'>Classes and Objects</a></dd> <dd><a href='/manual/en/language.namespaces.php'>Namespaces</a></dd> <dd><a href='/manual/en/language.enumerations.php'>Enumerations</a></dd> <dd><a href='/manual/en/language.errors.php'>Errors</a></dd> <dd><a href='/manual/en/language.exceptions.php'>Exceptions</a></dd> <dd><a href='/manual/en/language.fibers.php'>Fibers</a></dd> <dd><a href='/manual/en/language.generators.php'>Generators</a></dd> <dd><a href='/manual/en/language.attributes.php'>Attributes</a></dd> <dd><a href='/manual/en/language.references.php'>References Explained</a></dd> <dd><a href='/manual/en/reserved.variables.php'>Predefined Variables</a></dd> <dd><a href='/manual/en/reserved.exceptions.php'>Predefined Exceptions</a></dd> <dd><a href='/manual/en/reserved.interfaces.php'>Predefined Interfaces and Classes</a></dd> <dd><a href='/manual/en/reserved.attributes.php'>Predefined Attributes</a></dd> <dd><a href='/manual/en/context.php'>Context options and parameters</a></dd> <dd><a href='/manual/en/wrappers.php'>Supported Protocols and Wrappers</a></dd> </dl> <dl> <dt><a href='/manual/en/security.php'>Security</a></dt> <dd><a href='/manual/en/security.intro.php'>Introduction</a></dd> <dd><a href='/manual/en/security.general.php'>General considerations</a></dd> <dd><a href='/manual/en/security.cgi-bin.php'>Installed as CGI binary</a></dd> <dd><a href='/manual/en/security.apache.php'>Installed as an Apache module</a></dd> <dd><a href='/manual/en/security.sessions.php'>Session Security</a></dd> <dd><a href='/manual/en/security.filesystem.php'>Filesystem Security</a></dd> <dd><a href='/manual/en/security.database.php'>Database Security</a></dd> <dd><a href='/manual/en/security.errors.php'>Error Reporting</a></dd> <dd><a href='/manual/en/security.variables.php'>User Submitted Data</a></dd> <dd><a href='/manual/en/security.hiding.php'>Hiding PHP</a></dd> <dd><a href='/manual/en/security.current.php'>Keeping Current</a></dd> <dt><a href='/manual/en/features.php'>Features</a></dt> <dd><a href='/manual/en/features.http-auth.php'>HTTP authentication with PHP</a></dd> <dd><a href='/manual/en/features.cookies.php'>Cookies</a></dd> <dd><a href='/manual/en/features.sessions.php'>Sessions</a></dd> <dd><a href='/manual/en/features.file-upload.php'>Handling file uploads</a></dd> <dd><a href='/manual/en/features.remote-files.php'>Using remote files</a></dd> <dd><a href='/manual/en/features.connection-handling.php'>Connection handling</a></dd> <dd><a href='/manual/en/features.persistent-connections.php'>Persistent Database Connections</a></dd> <dd><a href='/manual/en/features.commandline.php'>Command line usage</a></dd> <dd><a href='/manual/en/features.gc.php'>Garbage Collection</a></dd> <dd><a href='/manual/en/features.dtrace.php'>DTrace Dynamic Tracing</a></dd> </dl> <dl> <dt><a href='/manual/en/funcref.php'>Function Reference</a></dt> <dd><a href='/manual/en/refs.basic.php.php'>Affecting PHP's Behaviour</a></dd> <dd><a href='/manual/en/refs.utilspec.audio.php'>Audio Formats Manipulation</a></dd> <dd><a href='/manual/en/refs.remote.auth.php'>Authentication Services</a></dd> <dd><a href='/manual/en/refs.utilspec.cmdline.php'>Command Line Specific Extensions</a></dd> <dd><a href='/manual/en/refs.compression.php'>Compression and Archive Extensions</a></dd> <dd><a href='/manual/en/refs.crypto.php'>Cryptography Extensions</a></dd> <dd><a href='/manual/en/refs.database.php'>Database Extensions</a></dd> <dd><a href='/manual/en/refs.calendar.php'>Date and Time Related Extensions</a></dd> <dd><a href='/manual/en/refs.fileprocess.file.php'>File System Related Extensions</a></dd> <dd><a href='/manual/en/refs.international.php'>Human Language and Character Encoding Support</a></dd> <dd><a href='/manual/en/refs.utilspec.image.php'>Image Processing and Generation</a></dd> <dd><a href='/manual/en/refs.remote.mail.php'>Mail Related Extensions</a></dd> <dd><a href='/manual/en/refs.math.php'>Mathematical Extensions</a></dd> <dd><a href='/manual/en/refs.utilspec.nontext.php'>Non-Text MIME Output</a></dd> <dd><a href='/manual/en/refs.fileprocess.process.php'>Process Control Extensions</a></dd> <dd><a href='/manual/en/refs.basic.other.php'>Other Basic Extensions</a></dd> <dd><a href='/manual/en/refs.remote.other.php'>Other Services</a></dd> <dd><a href='/manual/en/refs.search.php'>Search Engine Extensions</a></dd> <dd><a href='/manual/en/refs.utilspec.server.php'>Server Specific Extensions</a></dd> <dd><a href='/manual/en/refs.basic.session.php'>Session Extensions</a></dd> <dd><a href='/manual/en/refs.basic.text.php'>Text Processing</a></dd> <dd><a href='/manual/en/refs.basic.vartype.php'>Variable and Type Related Extensions</a></dd> <dd><a href='/manual/en/refs.webservice.php'>Web Services</a></dd> <dd><a href='/manual/en/refs.utilspec.windows.php'>Windows Only Extensions</a></dd> <dd><a href='/manual/en/refs.xml.php'>XML Manipulation</a></dd> <dd><a href='/manual/en/refs.ui.php'>GUI Extensions</a></dd> </dl> <dl> <dt>Keyboard Shortcuts</dt><dt>?</dt> <dd>This help</dd> <dt>j</dt> <dd>Next menu item</dd> <dt>k</dt> <dd>Previous menu item</dd> <dt>g p</dt> <dd>Previous man page</dd> <dt>g n</dt> <dd>Next man page</dd> <dt>G</dt> <dd>Scroll to bottom</dd> <dt>g g</dt> <dd>Scroll to top</dd> <dt>g h</dt> <dd>Goto homepage</dd> <dt>g s</dt> <dd>Goto search<br>(current page)</dd> <dt>/</dt> <dd>Focus search box</dd> </dl></div></nav> <div id="goto"> <div class="search"> <div class="text"></div> <div class="results"><ul></ul></div> </div> </div> <div id="breadcrumbs" class="clearfix"> <div id="breadcrumbs-inner"> <div class="next"> <a href="security.current.php"> Keeping Current » </a> </div> <div class="prev"> <a href="security.variables.php"> « User Submitted Data </a> </div> <ul> <li><a href='index.php'>PHP Manual</a></li> <li><a href='security.php'>Security</a></li> </ul> </div> </div> <div id="layout" class="clearfix"> <section id="layout-content"> <div class="page-tools"> <div class="change-language"> <form action="/manual/change.php" method="get" id="changelang" name="changelang"> <fieldset> <label for="changelang-langs">Change language:</label> <select onchange="document.changelang.submit()" name="page" id="changelang-langs"> <option value='en/security.hiding.php' selected="selected">English</option> <option value='de/security.hiding.php'>German</option> <option value='es/security.hiding.php'>Spanish</option> <option value='fr/security.hiding.php'>French</option> <option value='it/security.hiding.php'>Italian</option> <option value='ja/security.hiding.php'>Japanese</option> <option value='pt_BR/security.hiding.php'>Brazilian Portuguese</option> <option value='ru/security.hiding.php'>Russian</option> <option value='tr/security.hiding.php'>Turkish</option> <option value='uk/security.hiding.php'>Ukrainian</option> <option value='zh/security.hiding.php'>Chinese (Simplified)</option> <option value='help-translate.php'>Other</option> </select> </fieldset> </form> </div> </div><div id="security.hiding" class="chapter"> <h1 class="title">Hiding PHP</h1> <p class="para"> In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable. </p> <p class="para"> A few simple techniques can help to hide <abbr title="PHP: Hypertext Preprocessor">PHP</abbr>, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to <code class="literal">off</code> in your <var class="filename">php.ini</var> file, you reduce the amount of information available to them. </p> <p class="para"> Another tactic is to configure web servers such as apache to parse different filetypes through <abbr title="PHP: Hypertext Preprocessor">PHP</abbr>, either with an <var class="filename">.htaccess</var> directive, or in the apache configuration file itself. You can then use misleading file extensions: <div class="example" id="example-474"> <p><strong>Example #1 Hiding PHP as another language</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like other code types AddType application/x-httpd-php .asp .py .pl</pre> </div> </div> </div> Or obscure it completely: <div class="example" id="example-475"> <p><strong>Example #2 Using unknown types for PHP extensions</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like unknown types AddType application/x-httpd-php .bop .foo .133t</pre> </div> </div> </div> Or hide it as <abbr title="Hyper Text Markup Language">HTML</abbr> code, which has a slight performance hit because all <abbr title="Hyper Text Markup Language">HTML</abbr> will be parsed through the <abbr title="PHP: Hypertext Preprocessor">PHP</abbr> engine: <div class="example" id="example-476"> <p><strong>Example #3 Using <abbr title="Hyper Text Markup Language">HTML</abbr> types for PHP extensions</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make all PHP code look like HTML AddType application/x-httpd-php .htm .html</pre> </div> </div> </div> For this to work effectively, you must rename your <abbr title="PHP: Hypertext Preprocessor">PHP</abbr> files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks. </p> </div> <div class="contribute"> <h3 class="title">Found A Problem?</h3> <div> </div> <div class="edit-bug"> <a href="https://github.com/php/doc-base/blob/master/README.md" title="This will take you to our contribution guidelines on GitHub" target="_blank" rel="noopener noreferrer">Learn How To Improve This Page</a> • <a href="https://github.com/php/doc-en/blob/master/security/hiding.xml">Submit a Pull Request</a> • <a href="https://github.com/php/doc-en/issues/new?body=From%20manual%20page:%20https:%2F%2Fphp.net%2Fsecurity.hiding%0A%0A---">Report a Bug</a> </div> </div><section id="usernotes"> <div class="head"> <span class="action"><a href="/manual/add-note.php?sect=security.hiding&repo=en&redirect=https://www.php.net/manual/en/security.hiding.php">+<small>add a note</small></a></span> <h3 class="title">User Contributed Notes <span class="count">23 notes</span></h3> </div><div id="allnotes"> <div class="note" id="72630"> <div class="votes"> <div id="Vu72630"> <a href="/manual/vote-note.php?id=72630&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd72630"> <a href="/manual/vote-note.php?id=72630&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V72630" title="55% like this..."> 42 </div> </div> <a href="#72630" class="name"> <strong class="user"><em>rustamabd at google mail</em></strong></a><a class="genanchor" href="#72630"> ¶</a><div class="date" title="2007-01-26 12:05"><strong>17 years ago</strong></div> <div class="text" id="Hcom72630"> <div class="phpcode"><code><span class="html">So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase.<br /><br />.htaccess:<br /><br />RewriteEngine on<br /><br /># Rewrite /foo/bar to /foo/bar.php<br />RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]<br /><br /># Return 404 if original request is /foo/bar.php<br />RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"<br />RewriteRule .* - [L,R=404]<br /><br /># NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:<br /># RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]</span></code></div> </div> </div> <div class="note" id="113970"> <div class="votes"> <div id="Vu113970"> <a href="/manual/vote-note.php?id=113970&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd113970"> <a href="/manual/vote-note.php?id=113970&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V113970" title="56% like this..."> 25 </div> </div> <a href="#113970" class="name"> <strong class="user"><em>anon at example dot com</em></strong></a><a class="genanchor" href="#113970"> ¶</a><div class="date" title="2013-12-23 10:48"><strong>10 years ago</strong></div> <div class="text" id="Hcom113970"> <div class="phpcode"><code><span class="html">The session name defaults to PHPSESSID. This is used as the name of the session cookie that is sent to the user's web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77).<br /><br />To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start(). Example:<br /><br />session_name("id");<br />session_start();<br /><br />Cheers.</span></code></div> </div> </div> <div class="note" id="128154"> <div class="votes"> <div id="Vu128154"> <a href="/manual/vote-note.php?id=128154&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd128154"> <a href="/manual/vote-note.php?id=128154&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V128154" title="63% like this..."> 3 </div> </div> <a href="#128154" class="name"> <strong class="user"><em>Sajith Karunatilake @</em></strong></a><a class="genanchor" href="#128154"> ¶</a><div class="date" title="2023-01-26 09:24"><strong>1 year ago</strong></div> <div class="text" id="Hcom128154"> <div class="phpcode"><code><span class="html">Just hiding it doesn't look like good "security" if the code itself is flawed. At the end of the day the code has to run regardless of its file extension. There could be some advantages to this. But it does not prevent someone (who is not a script-kiddie or some kind of automated bot) from exploiting the flaws in the code.<br /><br />Just a thought.<br /><br />Just leaving this comment to prevent a beginner from using this as a legitimate security measure (assuming they read documentation). Cool feature though.</span></code></div> </div> </div> <div class="note" id="64278"> <div class="votes"> <div id="Vu64278"> <a href="/manual/vote-note.php?id=64278&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd64278"> <a href="/manual/vote-note.php?id=64278&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V64278" title="53% like this..."> 15 </div> </div> <a href="#64278" class="name"> <strong class="user"><em>marpetr at NOSPAM dot gmail dot com</em></strong></a><a class="genanchor" href="#64278"> ¶</a><div class="date" title="2006-04-11 05:18"><strong>18 years ago</strong></div> <div class="text" id="Hcom64278"> <div class="phpcode"><code><span class="html">I think the best way to hide PHP on Apache and Apache itself is this:<br /><br />httpd.conf<br />-------------<br /># ...<br /># Minimize 'Server' header information<br />ServerTokens Prod<br /># Disable server signature on server generated pages<br />ServerSignature Off<br /># ...<br /># Set default file type to PHP<br />DefaultType application/x-httpd-php<br /># ...<br /><br />php.ini<br />------------<br />; ...<br />expose_php = Off<br />; ...<br /><br />Now the URLs will look like this:<br /><a href="http://my.server.com/forums/post?forumid=15" rel="nofollow" target="_blank">http://my.server.com/forums/post?forumid=15</a><br /><br />Now hacker knows only that you are using Apache.</span></code></div> </div> </div> <div class="note" id="86623"> <div class="votes"> <div id="Vu86623"> <a href="/manual/vote-note.php?id=86623&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd86623"> <a href="/manual/vote-note.php?id=86623&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V86623" title="56% like this..."> 11 </div> </div> <a href="#86623" class="name"> <strong class="user"><em>sandaimespaceman at gmail dot com</em></strong></a><a class="genanchor" href="#86623"> ¶</a><div class="date" title="2008-10-26 04:51"><strong>16 years ago</strong></div> <div class="text" id="Hcom86623"> <div class="phpcode"><code><span class="html">Set INI directive "expose_php" to "off" will also help.<br />You can spoof your PHP to ASP.NET by using:<br /><span class="default"><?php<br />error_reporting</span><span class="keyword">(</span><span class="default">0</span><span class="keyword">);<br /></span><span class="default">header</span><span class="keyword">(</span><span class="string">"X-Powered-By: ASP.NET"</span><span class="keyword">);<br /></span><span class="default">?></span></span></code></div> </div> </div> <div class="note" id="28980"> <div class="votes"> <div id="Vu28980"> <a href="/manual/vote-note.php?id=28980&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd28980"> <a href="/manual/vote-note.php?id=28980&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V28980" title="57% like this..."> 10 </div> </div> <a href="#28980" class="name"><strong class="user"><em>Anonymous</em></strong></a><a class="genanchor" href="#28980"> ¶</a><div class="date" title="2003-01-29 10:53"><strong>21 years ago</strong></div> <div class="text" id="Hcom28980"> <div class="phpcode"><code><span class="html">PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you. The problem is that safe-mode forces Apache to honor trailing characters in a requested URL. This means that: <br /> <br /><a href="http://www.example.com/home" rel="nofollow" target="_blank">http://www.example.com/home</a> <br /> <br />would still be processed by the home script in our doc root, but for: <br /> <br /><a href="http://www.example.com/home/contact_us.html" rel="nofollow" target="_blank">http://www.example.com/home/contact_us.html</a> <br /> <br />apache would actually look for the /home/contact_us.html file in our doc root. <br /> <br />The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host. So, for a virtual host listening on port 8080, the apache directives would look like this: <br /> <br /><VirtualHost *:8080> <br /> DocumentRoot /web/doc_root <br /> Alias /home "/web/doc_root/home.php" <br /> AcceptPathInfo On <br /></VirtualHost> <br /> <br />Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off. The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host. This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.</span></code></div> </div> </div> <div class="note" id="40772"> <div class="votes"> <div id="Vu40772"> <a href="/manual/vote-note.php?id=40772&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd40772"> <a href="/manual/vote-note.php?id=40772&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V40772" title="53% like this..."> 13 </div> </div> <a href="#40772" class="name"> <strong class="user"><em>mmj</em></strong></a><a class="genanchor" href="#40772"> ¶</a><div class="date" title="2004-03-14 05:58"><strong>20 years ago</strong></div> <div class="text" id="Hcom40772"> <div class="phpcode"><code><span class="html">You can see if somebody's using PHP just by adding the following to the end of the URL:<br />?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000<br />If the page is using PHP, this will show the PHP credits.<br /><br />Setting expose_php to Off in php.ini prevents this.</span></code></div> </div> </div> <div class="note" id="53144"> <div class="votes"> <div id="Vu53144"> <a href="/manual/vote-note.php?id=53144&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd53144"> <a href="/manual/vote-note.php?id=53144&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V53144" title="56% like this..."> 9 </div> </div> <a href="#53144" class="name"> <strong class="user"><em>benjamin at sonntag dot fr</em></strong></a><a class="genanchor" href="#53144"> ¶</a><div class="date" title="2005-05-24 09:14"><strong>19 years ago</strong></div> <div class="text" id="Hcom53144"> <div class="phpcode"><code><span class="html">In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file : <br /><br />DefaultType application/x-httpd-php</span></code></div> </div> </div> <div class="note" id="36936"> <div class="votes"> <div id="Vu36936"> <a href="/manual/vote-note.php?id=36936&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd36936"> <a href="/manual/vote-note.php?id=36936&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V36936" title="55% like this..."> 10 </div> </div> <a href="#36936" class="name"> <strong class="user"><em>ldemailly at qualysNOSPAM dot com</em></strong></a><a class="genanchor" href="#36936"> ¶</a><div class="date" title="2003-10-27 08:17"><strong>21 years ago</strong></div> <div class="text" id="Hcom36936"> <div class="phpcode"><code><span class="html">adding MultiViews to your apache Options config<br />lets you hide/omit .php in the url without any rewriting, etc...</span></code></div> </div> </div> <div class="note" id="86286"> <div class="votes"> <div id="Vu86286"> <a href="/manual/vote-note.php?id=86286&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd86286"> <a href="/manual/vote-note.php?id=86286&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V86286" title="55% like this..."> 9 </div> </div> <a href="#86286" class="name"> <strong class="user"><em>Pyornide</em></strong></a><a class="genanchor" href="#86286"> ¶</a><div class="date" title="2008-10-10 05:57"><strong>16 years ago</strong></div> <div class="text" id="Hcom86286"> <div class="phpcode"><code><span class="html">The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.</span></code></div> </div> </div> <div class="note" id="99001"> <div class="votes"> <div id="Vu99001"> <a href="/manual/vote-note.php?id=99001&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd99001"> <a href="/manual/vote-note.php?id=99001&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V99001" title="52% like this..."> 10 </div> </div> <a href="#99001" class="name"> <strong class="user"><em>CD001</em></strong></a><a class="genanchor" href="#99001"> ¶</a><div class="date" title="2010-07-21 09:03"><strong>14 years ago</strong></div> <div class="text" id="Hcom99001"> <div class="phpcode"><code><span class="html">It's a good idea to "hide" PHP anyway so you can write a RESTful web application.<br /><br />Using Apache Mod Rewrite:<br /><br />RewriteEngine On<br />RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2<br /><br />You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.<br /><br /><span class="default"><?php<br /></span><span class="keyword">function </span><span class="default">myGET</span><span class="keyword">() {<br /> </span><span class="default">$aGet </span><span class="keyword">= array();<br /><br /> if(isset(</span><span class="default">$_GET</span><span class="keyword">[</span><span class="string">'query'</span><span class="keyword">])) {<br /> </span><span class="default">$aGet </span><span class="keyword">= </span><span class="default">explode</span><span class="keyword">(</span><span class="string">'/'</span><span class="keyword">, </span><span class="default">$_GET</span><span class="keyword">[</span><span class="string">'query'</span><span class="keyword">]);<br /> }<br /><br /> return </span><span class="default">$aGet</span><span class="keyword">;<br />}<br /></span><span class="default">?><br /></span><br />This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.</span></code></div> </div> </div> <div class="note" id="117586"> <div class="votes"> <div id="Vu117586"> <a href="/manual/vote-note.php?id=117586&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd117586"> <a href="/manual/vote-note.php?id=117586&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V117586" title="53% like this..."> 8 </div> </div> <a href="#117586" class="name"> <strong class="user"><em>info at frinteractives dot com</em></strong></a><a class="genanchor" href="#117586"> ¶</a><div class="date" title="2015-07-02 10:42"><strong>9 years ago</strong></div> <div class="text" id="Hcom117586"> <div class="phpcode"><code><span class="html">try this<br />RewriteEngine On<br /><br /># Unless directory, remove trailing slash<br />RewriteCond %{REQUEST_FILENAME} !-d<br />RewriteRule ^([^/]+)/$ <a href="http://example.com/folder/$1" rel="nofollow" target="_blank">http://example.com/folder/$1</a> [R=301,L]<br /><br /># Redirect external .php requests to extensionless url<br />RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/<br />RewriteRule ^(.+)\.php$ <a href="http://example.com/folder/$1" rel="nofollow" target="_blank">http://example.com/folder/$1</a> [R=301,L]<br /><br /># Resolve .php file for extensionless php urls<br />RewriteRule ^([^/.]+)$ $1.php [L]</span></code></div> </div> </div> <div class="note" id="18520"> <div class="votes"> <div id="Vu18520"> <a href="/manual/vote-note.php?id=18520&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd18520"> <a href="/manual/vote-note.php?id=18520&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V18520" title="54% like this..."> 7 </div> </div> <a href="#18520" class="name"> <strong class="user"><em>yasuo_ohgaki at yahoo dot com</em></strong></a><a class="genanchor" href="#18520"> ¶</a><div class="date" title="2002-01-26 03:59"><strong>22 years ago</strong></div> <div class="text" id="Hcom18520"> <div class="phpcode"><code><span class="html">To hide PHP, you need following php.ini settings<br /><br />expose_php=Off <br />display_errors=Off<br /><br />and in httpd.conf<br /><br />ServerSignature Off<br />(min works, but I prefer off)</span></code></div> </div> </div> <div class="note" id="54313"> <div class="votes"> <div id="Vu54313"> <a href="/manual/vote-note.php?id=54313&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd54313"> <a href="/manual/vote-note.php?id=54313&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V54313" title="54% like this..."> 5 </div> </div> <a href="#54313" class="name"> <strong class="user"><em>jtw90210</em></strong></a><a class="genanchor" href="#54313"> ¶</a><div class="date" title="2005-06-30 01:19"><strong>19 years ago</strong></div> <div class="text" id="Hcom54313"> <div class="phpcode"><code><span class="html">In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf. <br /> <br />AddType application/x-httpd-php .php .html <br />AcceptPathInfo On <br /> <br />Try it out with your phpinfo page and you'll be able to search for PATH_INFO. <br /> <br /><a href="http://example.com/myphpinfo.php/showmetheway" rel="nofollow" target="_blank">http://example.com/myphpinfo.php/showmetheway</a> <br /> <br />If you want to drop the .php use one or both of these: <br />DefaultType application/x-httpd-php <br />ForceType application/x-httpd-php</span></code></div> </div> </div> <div class="note" id="42332"> <div class="votes"> <div id="Vu42332"> <a href="/manual/vote-note.php?id=42332&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd42332"> <a href="/manual/vote-note.php?id=42332&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V42332" title="53% like this..."> 6 </div> </div> <a href="#42332" class="name"><strong class="user"><em>Anonymous</em></strong></a><a class="genanchor" href="#42332"> ¶</a><div class="date" title="2004-05-12 08:20"><strong>20 years ago</strong></div> <div class="text" id="Hcom42332"> <div class="phpcode"><code><span class="html">Keep in mind, if your really freaked out over hiding PHP, GD will expose you.<br /><br />Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.</span></code></div> </div> </div> <div class="note" id="17872"> <div class="votes"> <div id="Vu17872"> <a href="/manual/vote-note.php?id=17872&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd17872"> <a href="/manual/vote-note.php?id=17872&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V17872" title="54% like this..."> 5 </div> </div> <a href="#17872" class="name"> <strong class="user"><em>istvan dot takacsNOSPAM at hungax dot com</em></strong></a><a class="genanchor" href="#17872"> ¶</a><div class="date" title="2001-12-30 09:42"><strong>22 years ago</strong></div> <div class="text" id="Hcom17872"> <div class="phpcode"><code><span class="html">And use the <br />ServerTokens min <br />directive in your httpd.conf to hide installed PHP modules in apache.</span></code></div> </div> </div> <div class="note" id="23561"> <div class="votes"> <div id="Vu23561"> <a href="/manual/vote-note.php?id=23561&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd23561"> <a href="/manual/vote-note.php?id=23561&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V23561" title="53% like this..."> 6 </div> </div> <a href="#23561" class="name"> <strong class="user"><em>m1tk4 at hotmail dot com</em></strong></a><a class="genanchor" href="#23561"> ¶</a><div class="date" title="2002-07-22 05:53"><strong>22 years ago</strong></div> <div class="text" id="Hcom23561"> <div class="phpcode"><code><span class="html">I usually do:<br /><br /><code><br />RewriteEngine on<br><br />RewriteOptions inherit<br><br />RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br><br /></code><br /><br />in .htaccess. You'll need mod_rewrite installed for this .</span></code></div> </div> </div> <div class="note" id="34285"> <div class="votes"> <div id="Vu34285"> <a href="/manual/vote-note.php?id=34285&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd34285"> <a href="/manual/vote-note.php?id=34285&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V34285" title="53% like this..."> 5 </div> </div> <a href="#34285" class="name"> <strong class="user"><em>l0rdphi1 at liquefyr dot com</em></strong></a><a class="genanchor" href="#34285"> ¶</a><div class="date" title="2003-07-21 04:02"><strong>21 years ago</strong></div> <div class="text" id="Hcom34285"> <div class="phpcode"><code><span class="html">More fun includes files without file extensions. <br /> <br />Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set. <br /> <br />Oh yea, it gets even better when you play with stuff like the following: <br /> <br /><span class="default"><?php <br />substr</span><span class="keyword">(</span><span class="default">$_SERVER</span><span class="keyword">[</span><span class="string">'PATH_INFO'</span><span class="keyword">],</span><span class="default">1</span><span class="keyword">); <br /></span><span class="default">?> <br /></span> <br />e.g. www.example.com/somepage/55 <br /> <br />And: <br /> <br /><span class="default"><?php <br /></span><span class="keyword">foreach ( </span><span class="default">explode</span><span class="keyword">(</span><span class="string">'/'</span><span class="keyword">,</span><span class="default">$_SERVER</span><span class="keyword">[</span><span class="string">'PATH_INFO'</span><span class="keyword">]) as </span><span class="default">$pair </span><span class="keyword">) { <br /> list(</span><span class="default">$key</span><span class="keyword">,</span><span class="default">$value</span><span class="keyword">) = </span><span class="default">split</span><span class="keyword">(</span><span class="string">'='</span><span class="keyword">,</span><span class="default">$pair</span><span class="keyword">,</span><span class="default">2</span><span class="keyword">); <br /> </span><span class="default">$param</span><span class="keyword">[</span><span class="default">$key</span><span class="keyword">] = </span><span class="default">stripslashes</span><span class="keyword">(</span><span class="default">$value</span><span class="keyword">); <br />} <br /></span><span class="default">?> <br /></span> <br />e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc <br /> <br />Enjoy =)</span></code></div> </div> </div> <div class="note" id="30751"> <div class="votes"> <div id="Vu30751"> <a href="/manual/vote-note.php?id=30751&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd30751"> <a href="/manual/vote-note.php?id=30751&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V30751" title="51% like this..."> 1 </div> </div> <a href="#30751" class="name"> <strong class="user"><em>Bryce Nesbitt at Obviously.COM</em></strong></a><a class="genanchor" href="#30751"> ¶</a><div class="date" title="2003-03-27 08:24"><strong>21 years ago</strong></div> <div class="text" id="Hcom30751"> <div class="phpcode"><code><span class="html">Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension:<br /><br />(1) Don't hard code file types at all. Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format:<br /> www.xxxxxx.com/page<br /> www.xxxxxx.com/directory/<br />This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type.<br /><br />(2) In an Apache .htaccess file use:<br /> RewriteEngine on<br /> RewriteRule page.html page.php<br /><br />(3) Force the webserver to interpret ALL .html files as .php:<br /> AddType application/x-httpd-php .php3 .php .html</span></code></div> </div> </div> <div class="note" id="68777"> <div class="votes"> <div id="Vu68777"> <a href="/manual/vote-note.php?id=68777&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd68777"> <a href="/manual/vote-note.php?id=68777&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V68777" title="49% like this..."> -1 </div> </div> <a href="#68777" class="name"> <strong class="user"><em>simon at carbontwelevedesign dot co dot uk</em></strong></a><a class="genanchor" href="#68777"> ¶</a><div class="date" title="2006-08-10 05:31"><strong>18 years ago</strong></div> <div class="text" id="Hcom68777"> <div class="phpcode"><code><span class="html">I use the following in the .htaccess document<br /><br /><IfModule mod_rewrite.c><br />RewriteEngine On<br />RewriteBase /<br />RewriteCond %{REQUEST_FILENAME} !-f<br />RewriteCond %{REQUEST_FILENAME} !-d<br />RewriteRule . /index.php [L]<br /></IfModule><br /><br />then the following simple code<br /><br /><span class="default"><?php<br /><br />$permalinks </span><span class="keyword">= </span><span class="default">explode</span><span class="keyword">(</span><span class="string">"/"</span><span class="keyword">,</span><span class="default">$_SERVER</span><span class="keyword">[</span><span class="string">'REQUEST_URI'</span><span class="keyword">]);<br /><br /></span><span class="default">$varone </span><span class="keyword">= </span><span class="default">$permalinks</span><span class="keyword">[</span><span class="default">1</span><span class="keyword">];<br /></span><span class="default">$vartwo </span><span class="keyword">= </span><span class="default">$permalinks</span><span class="keyword">[</span><span class="default">2</span><span class="keyword">];<br /><br />...<br /><br /></span><span class="default">?></span></span></code></div> </div> </div> <div class="note" id="41458"> <div class="votes"> <div id="Vu41458"> <a href="/manual/vote-note.php?id=41458&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd41458"> <a href="/manual/vote-note.php?id=41458&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V41458" title="48% like this..."> -2 </div> </div> <a href="#41458" class="name"> <strong class="user"><em>php at user dot net</em></strong></a><a class="genanchor" href="#41458"> ¶</a><div class="date" title="2004-04-10 06:36"><strong>20 years ago</strong></div> <div class="text" id="Hcom41458"> <div class="phpcode"><code><span class="html">What about this in a .htaccess file :<br /><br />RewriteEngine on<br />RewriteRule ^$ /index.php [L]<br />RewriteRule ^([a-zA-Z0-9\-\_/]*)/$ /$1/index.php [L]<br />RewriteRule ^([a-zA-Z0-9\-\_/]*)\.(html|htm)$ /$1.php [L]<br />RewriteRule ^([a-zA-Z0-9\-\_/]*)$ /$1.php [L]<br /><br />Typing "sub.domain.foo/anything" loads "/anything/index.php" if 'anything' is a directory, else it loads "/anything.php".<br /><br />I'm sure you can find mutch better, but it works great on my site :)</span></code></div> </div> </div> <div class="note" id="43240"> <div class="votes"> <div id="Vu43240"> <a href="/manual/vote-note.php?id=43240&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd43240"> <a href="/manual/vote-note.php?id=43240&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V43240" title="47% like this..."> -4 </div> </div> <a href="#43240" class="name"> <strong class="user"><em>php at vfmedia dot de</em></strong></a><a class="genanchor" href="#43240"> ¶</a><div class="date" title="2004-06-15 06:21"><strong>20 years ago</strong></div> <div class="text" id="Hcom43240"> <div class="phpcode"><code><span class="html">I?ve found an easy way to hide php code and the uri is searchable by google and others...(only for unix or linux)<br /><br />At first I have some rules in my hide.conf (i made an extra .conf for it (apache 2.0))<br /><br />For example when I want to mask the index.php<br /><br /><Files index><br /> ForceType application/x-httpd-php<br /> </Files><br /><br />My problem is, that my code should be readable...<br /><br />so I made an extra folder for example srv/www/htdocs/static_output<br /><br />My phpcode is in the includefolder....(for ex. mnt/source/index.php)<br /><br />Then I made a link in the shell > ln mnt/source/index.php srv/www/htdocs/static_output/index<br /><br />So the code is readable (with .php extension) in my includefolder and there is only the link in the srv folder without extension(which is called by the browser...).</span></code></div> </div> </div> <div class="note" id="122229"> <div class="votes"> <div id="Vu122229"> <a href="/manual/vote-note.php?id=122229&page=security.hiding&vote=up" title="Vote up!" class="usernotes-voteu">up</a> </div> <div id="Vd122229"> <a href="/manual/vote-note.php?id=122229&page=security.hiding&vote=down" title="Vote down!" class="usernotes-voted">down</a> </div> <div class="tally" id="V122229" title="42% like this..."> -4 </div> </div> <a href="#122229" class="name"> <strong class="user"><em>omolewastephen at gmail dot com</em></strong></a><a class="genanchor" href="#122229"> ¶</a><div class="date" title="2018-01-04 10:03"><strong>6 years ago</strong></div> <div class="text" id="Hcom122229"> <div class="phpcode"><code><span class="html">I used this on my site and it works great for me<br /><br /># RewriteEngine on<br /><br /># Rewrite /foo/bar to /foo/bar.php<br /># RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]<br /><br /># Return 404 if original request is /foo/bar.php<br /># RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"<br /># RewriteRule .* - [L,R=404]<br /><br /># NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:<br /># RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]</span></code></div> </div> </div></div> <div class="foot"><a href="/manual/add-note.php?sect=security.hiding&repo=en&redirect=https://www.php.net/manual/en/security.hiding.php">+<small>add a note</small></a></div> </section> </section><!-- layout-content --> <aside class='layout-menu'> <ul class='parent-menu-list'> <li> <a href="security.php">Security</a> <ul class='child-menu-list'> <li class=""> <a href="security.intro.php" title="Introduction">Introduction</a> </li> <li class=""> <a href="security.general.php" title="General considerations">General considerations</a> </li> <li class=""> <a href="security.cgi-bin.php" title="Installed as CGI binary">Installed as CGI binary</a> </li> <li class=""> <a href="security.apache.php" title="Installed as an Apache module">Installed as an Apache module</a> </li> <li class=""> <a href="security.sessions.php" title="Session Security">Session Security</a> </li> <li class=""> <a href="security.filesystem.php" title="Filesystem Security">Filesystem Security</a> </li> <li class=""> <a href="security.database.php" title="Database Security">Database Security</a> </li> <li class=""> <a href="security.errors.php" title="Error Reporting">Error Reporting</a> </li> <li class=""> <a href="security.variables.php" title="User Submitted Data">User Submitted Data</a> </li> <li class="current"> <a href="security.hiding.php" title="Hiding PHP">Hiding PHP</a> </li> <li class=""> <a href="security.current.php" title="Keeping Current">Keeping Current</a> </li> </ul> </li> </ul> </aside> </div><!-- layout --> <footer> <div class="container footer-content"> <div class="row-fluid"> <ul class="footmenu"> <li><a href="/manual/en/copyright.php">Copyright © 2001-2024 The PHP Documentation Group</a></li> <li><a href="/my.php">My PHP.net</a></li> <li><a href="/contact.php">Contact</a></li> <li><a href="/sites.php">Other PHP.net sites</a></li> <li><a href="/privacy.php">Privacy policy</a></li> </ul> </div> </div> </footer> <script src="/cached.php?t=1731172202&f=/js/ext/jquery-3.6.0.min.js"></script> <script src="/cached.php?t=1723177202&f=/js/ext/FuzzySearch.min.js"></script> <script src="/cached.php?t=1707321815&f=/js/ext/mousetrap.min.js"></script> <script src="/cached.php?t=1707321815&f=/js/ext/jquery.scrollTo.min.js"></script> <script src="/cached.php?t=1730558402&f=/js/search.js"></script> <script src="/cached.php?t=1732876201&f=/js/common.js"></script> <script type="module" src="/cached.php?t=1733276402&f=/js/interactive-examples.js"></script> <a id="toTop" href="javascript:;"><span id="toTopHover"></span><img width="40" height="40" alt="To Top" src="/images/to-top@2x.png"></a> <div id="search-modal__backdrop" class="search-modal__backdrop"> <div role="dialog" aria-label="Search modal" id="search-modal" class="search-modal" > <div class="search-modal__header"> <div class="search-modal__form"> <div class="search-modal__input-icon"> <!-- https://feathericons.com search --> <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <circle cx="11" cy="11" r="8"></circle> <line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </div> <input type="search" id="search-modal__input" class="search-modal__input" placeholder="Search docs" aria-label="Search docs" /> </div> <button aria-label="Close" class="search-modal__close"> <!-- https://pictogrammers.com/library/mdi/icon/close/ --> <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" width="24" viewBox="0 0 24 24" > <path d="M19,6.41L17.59,5L12,10.59L6.41,5L5,6.41L10.59,12L5,17.59L6.41,19L12,13.41L17.59,19L19,17.59L13.41,12L19,6.41Z"/> </svg> </button> </div> <div role="listbox" aria-label="Search results" id="search-modal__results" class="search-modal__results" ></div> <div class="search-modal__helper-text"> <div> <kbd>↑</kbd> and <kbd>↓</kbd> to navigate • <kbd>Enter</kbd> to select • <kbd>Esc</kbd> to close </div> <div> Press <kbd>Enter</kbd> without selection to search using Google </div> </div> </div> </div> </body> </html>