sallyjoshua Posted January 12, 2015 Share Posted January 12, 2015 (edited) i read somewhere that it is good practise to hide the file extension of your web pages for security reaons as this makes it more difficult for hackers to know what code u are using and also that when u migrate from one language to another its easier u dont have to change file naming for seo purposes so my question is, how do i hide file extensions for web pages i.e instead of websitename.com/toys.html i want to have the url read websitename.com/toys Edited January 12, 2015 by sallyjoshua Link to comment Share on other sites More sharing options...
dsonesuk Posted January 12, 2015 Share Posted January 12, 2015 mod_rewrite will display a extension less url while calling original file, just google, there's plenty of examples how to use this , and sites that will validate you code as well. Note require server language such as PHP, ASP etc. Link to comment Share on other sites More sharing options...
davej Posted January 12, 2015 Share Posted January 12, 2015 I was recently looking at some security information related to Joomla and was rather shocked to learn that basic web security requires URL rewriting. You apparently need to set up blocking/rewrite rules rules to block out many common methods of attack. I don't know which of these are related to weakness of Php or Apache or something else... - block scripts that try to set a mosConfig value through the URL- block scripts that try to base64_encode stuff to send via URL- block scripts that include a <script> tag in the URL- block scripts that try to set a PHP GLOBALS variable via URL- block scripts try to modify a _REQUEST variable via URL To me it seems that these security vulnerabilities should not exist. They should be eliminated in the underlying software. Link to comment Share on other sites More sharing options...
Ingolme Posted January 12, 2015 Share Posted January 12, 2015 I don't believe URL rewriting is a required layer of security. URL rewriting is just for easier to read URLs. Security should be properly handled in the code. You can use .htaccess to forbid access to particular files that are not meant to be opened in the browser, but not with URL rewriting, you would use the Allow / Deny directives for that. Link to comment Share on other sites More sharing options...
davej Posted January 12, 2015 Share Posted January 12, 2015 Yes, you are correct. This is actually .htaccess blocking -- not actual rewriting -- but I think that is equally silly. Link to comment Share on other sites More sharing options...
Ingolme Posted January 12, 2015 Share Posted January 12, 2015 Blocking access to certain files is actually an important security measure. Hiding a file extension, not so much. Security through obscurity is not real security. Link to comment Share on other sites More sharing options...
davej Posted January 12, 2015 Share Posted January 12, 2015 But it seems like Php allows too much to be done via URL, and this is stuff that should not be allowed via URL. One example is the PHP_SELF hazard which is vulnerable to hackers... http://www.w3schools.com/php/php_form_validation.asp The $_SERVER["PHP_SELF"] variable can be used by hackers! If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. Link to comment Share on other sites More sharing options...
Ingolme Posted January 12, 2015 Share Posted January 12, 2015 Like with any user input, if you're going to print it out you need to make sure that it doesn't change the page's HTML code. It's no less secure than $_GET or $_POST. Link to comment Share on other sites More sharing options...
davej Posted January 13, 2015 Share Posted January 13, 2015 Since I don't even understand the threats it is impossible for me to evaluate them. The only way I see the non-persistent page mods as being a threat is when they are embedded in links which people then unknowingly click on. Back to the OP's question... http://stackoverflow.com/questions/6534904/how-to-remove-file-extension-from-website-address http://httpd.apache.org/docs/2.4/howto/htaccess.html Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now