php-doc-en/security/hiding.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.1 $ -->
<!-- splitted from ./index.xml, last change in rev 1.66 -->
  <sect1 id="security.hiding">
   <title>Hiding PHP</title>
   <para>
    In general, security by obscurity is one of the weakest forms of security.
    But in some cases, every little bit of extra security is desirable.
   </para>
   <para>
    A few simple techniques can help to hide PHP, possibly slowing
    down an attacker who is attempting to discover weaknesses in your
    system. By setting expose_php = off in your &php.ini; file, you
    reduce the amount of information available to them.
   </para>
   <para>
    Another tactic is to configure web servers such as apache to
    parse different filetypes through PHP, either with an &htaccess;
    directive, or in the apache configuration file itself. You can
    then use misleading file extensions:
    <example>
     <title>Hiding PHP as another language</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl
]]>
     </programlisting>
    </example>
    Or obscure it completely:
    <example>
     <title>Using unknown types for PHP extensions</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t
]]>
     </programlisting>
    </example>
    Or hide it as HTML code, which has a slight performance hit because
    all HTML will be parsed through the PHP engine:
    <example>
     <title>Using HTML types for PHP extensions</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html
]]>
     </programlisting>
    </example>
    For this to work effectively, you must rename your PHP files with
    the above extensions. While it is a form of security through
    obscurity, it's a minor preventative measure with few drawbacks.
   </para>
  </sect1>


<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
split of monolithic index.xml git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@149789 c90b9560-bf6c-de11-be94-00142212c4b1 2004-01-26 13:22:25 +00:00			`<?xml version="1.0" encoding="iso-8859-1"?>`
			`<!-- $Revision: 1.1 $ -->`
			`<!-- splitted from ./index.xml, last change in rev 1.66 -->`
			`<sect1 id="security.hiding">`
			`<title>Hiding PHP</title>`
			`<para>`
			`In general, security by obscurity is one of the weakest forms of security.`
			`But in some cases, every little bit of extra security is desirable.`
			`</para>`
			`<para>`
			`A few simple techniques can help to hide PHP, possibly slowing`
			`down an attacker who is attempting to discover weaknesses in your`
			`system. By setting expose_php = off in your &php.ini; file, you`
			`reduce the amount of information available to them.`
			`</para>`
			`<para>`
			`Another tactic is to configure web servers such as apache to`
			`parse different filetypes through PHP, either with an &htaccess;`
			`directive, or in the apache configuration file itself. You can`
			`then use misleading file extensions:`
			`<example>`
			`<title>Hiding PHP as another language</title>`
			`<programlisting role="apache-conf">`
			`<![CDATA[`
			`# Make PHP code look like other code types`
			`AddType application/x-httpd-php .asp .py .pl`
			`]]>`
			`</programlisting>`
			`</example>`
			`Or obscure it completely:`
			`<example>`
			`<title>Using unknown types for PHP extensions</title>`
			`<programlisting role="apache-conf">`
			`<![CDATA[`
			`# Make PHP code look like unknown types`
			`AddType application/x-httpd-php .bop .foo .133t`
			`]]>`
			`</programlisting>`
			`</example>`
			`Or hide it as HTML code, which has a slight performance hit because`
			`all HTML will be parsed through the PHP engine:`
			`<example>`
			`<title>Using HTML types for PHP extensions</title>`
			`<programlisting role="apache-conf">`
			`<![CDATA[`
			`# Make all PHP code look like HTML`
			`AddType application/x-httpd-php .htm .html`
			`]]>`
			`</programlisting>`
			`</example>`
			`For this to work effectively, you must rename your PHP files with`
			`the above extensions. While it is a form of security through`
			`obscurity, it's a minor preventative measure with few drawbacks.`
			`</para>`
			`</sect1>`


			`<!-- Keep this comment at the end of the file`
			`Local variables:`
			`mode: sgml`
			`sgml-omittag:t`
			`sgml-shorttag:t`
			`sgml-minimize-attributes:nil`
			`sgml-always-quote-attributes:t`
			`sgml-indent-step:1`
			`sgml-indent-data:t`
			`indent-tabs-mode:nil`
			`sgml-parent-document:nil`
			`sgml-default-dtd-file:"../../manual.ced"`
			`sgml-exposed-tags:nil`
			`sgml-local-catalogs:nil`
			`sgml-local-ecat-files:nil`
			`End:`
			`vim600: syn=xml fen fdm=syntax fdl=2 si`
			`vim: et tw=78 syn=sgml`
			`vi: ts=1 sw=1`
			`-->`