0

I am writing a web application in php using Apache server. What I would like to do is have the index.php (and other files) display as *.aspx files, to confuse potential hackers.

Can this be done by editing the .htaccess file, and if so, what are the relevant lines to edit?

upthere
  • 49
  • 1
  • 6
  • Nobody can see your PHP code unless a) they hack the file system of your server or b) your server is misconfigured to serve the PHP as plain text. Either way the only confusion a hacker is going to get from that is wondering why you named a PHP file .aspx – Ken Herbert Feb 17 '14 at 04:39
  • 2
    This will add *very little* in the way of security. First of all, it's [Security Through Obscurity](http://en.wikipedia.org/wiki/Security_through_obscurity), which is generally considered very weak. Additionally, there are a number of ways to trivially detect that PHP is being used instead of ASP.NET (e.g. `X-Powered-By` header, [easter egg image queries](http://stackoverflow.com/questions/10458610/how-can-i-disable-phps-easter-egg-urls), ...) – ChrisGPT was on strike Feb 17 '14 at 04:40
  • @winterblood I think that he actually wants to confuse the hackers by making the server look like it's a Windows Server serving ASP.NET pages. –  Feb 17 '14 at 04:41
  • @André As Chris says, it is very easy to tell the difference, any hacker worth their l33t isn't going to base their attempts off a file extension. – Ken Herbert Feb 17 '14 at 04:43
  • @winterblood yeah I agree that's useless. –  Feb 17 '14 at 04:44
  • I knows it's weak security. But I wan't to do it anyway. Every little bit helps, right? – upthere Feb 17 '14 at 05:04

2 Answers2

1

Serving the wrong file extension is not how you would achieve security, as it would not be enough to fool potential hackers. It might not even be enough to fool the guys at builtwith.com.

Instead of researching how to mislead the hackers with simple tricks, research on ways to secure your application better. You can start that at PHP.net and Stack Overflow.

If you insist, you can use Apache mod_rewrite for that.

Something along this line (not tested):

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.aspx -f
RewriteRule ^(.+).aspx$ /$1.php [L,QSA]

Otherwise, you can also add mime-type in Apache to serve *aspx files as PHP.

AddType application/x-httpd-php .aspx
Community
  • 1
  • 1
Sutandiono
  • 1,748
  • 1
  • 12
  • 21
0

According to this answer, you should add the following to your .htaccess :

AddType application/x-httpd-php .aspx

You can find more info about the AddType directive in the Apache documentation.

Community
  • 1
  • 1