Jump to content

how do i hide the file extention of web pages

sallyjoshua

By sallyjoshua
in HTML/XHTML

 Share

Recommended Posts

sallyjoshua Newbie

sallyjoshua

Posted
Posted (edited)

i read somewhere that it is good practise to hide the file extension of your web pages for security reaons as this makes it more difficult for hackers to know what code u are using and also that when u migrate from one language to another its easier u dont have to change file naming for seo purposes

 

so my question is, how do i hide file extensions for web pages

 

i.e instead of websitename.com/toys.html i want to have the url read websitename.com/toys

Edited by sallyjoshua
Link to comment
Share on other sites
davej Devoted Member

davej

Posted
Posted

I was recently looking at some security information related to Joomla and was rather shocked to learn that basic web security requires URL rewriting. You apparently need to set up blocking/rewrite rules rules to block out many common methods of attack. I don't know which of these are related to weakness of Php or Apache or something else...

- block scripts that try to set a mosConfig value through the URL- block scripts that try to base64_encode stuff to send via URL- block scripts that include a <script> tag in the URL- block scripts that try to set a PHP GLOBALS variable via URL- block scripts try to modify a _REQUEST variable via URL

 

To me it seems that these security vulnerabilities should not exist. They should be eliminated in the underlying software.

Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

I don't believe URL rewriting is a required layer of security. URL rewriting is just for easier to read URLs. Security should be properly handled in the code.

 

You can use .htaccess to forbid access to particular files that are not meant to be opened in the browser, but not with URL rewriting, you would use the Allow / Deny directives for that.

Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

Blocking access to certain files is actually an important security measure. Hiding a file extension, not so much. Security through obscurity is not real security.

Link to comment
Share on other sites
davej Devoted Member

davej

Posted
Posted

But it seems like Php allows too much to be done via URL, and this is stuff that should not be allowed via URL. One example is the PHP_SELF hazard which is vulnerable to hackers...

 

http://www.w3schools.com/php/php_form_validation.asp

 

The $_SERVER["PHP_SELF"] variable can be used by hackers! If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.

Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

Like with any user input, if you're going to print it out you need to make sure that it doesn't change the page's HTML code. It's no less secure than $_GET or $_POST.

Link to comment
Share on other sites
davej Devoted Member

davej

Posted
Posted

Since I don't even understand the threats it is impossible for me to evaluate them. The only way I see the non-persistent page mods as being a threat is when they are embedded in links which people then unknowingly click on.

 

Back to the OP's question...

 

http://stackoverflow.com/questions/6534904/how-to-remove-file-extension-from-website-address

 

http://httpd.apache.org/docs/2.4/howto/htaccess.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...