Results 1 to 2 of 2
Thread: Hiding handler scripts
Jun 25, 2007, 13:59 #1
Hiding handler scripts
I read somewhere about hiding scripts so that it cannot be backdoored by using a combination of mod_rewrite to hide the real location of a file and $_SERVER['HTTP_REFERER'] so that a malicious user can't send a false HTTP_REFERER value if they don't know where the file is located in the first place..
Anyone know anything about this?
Jun 25, 2007, 14:51 #2
- Join Date
- Sep 2006
- Fairbanks, AK
- 0 Post(s)
- 0 Thread(s)
"Security through obscurity is no security at all."
Using mod_rewrite doesn't "hide" your scripts at all, since any HTTP request will be routed to your scripts and anyone who gains filesystem access can easily read your rewrite rules to find your scripts or else just find them the old-fashioned way. All you accomplish with mod_rewrite is pretty URLs that look nicer in your users' browsers than "page.php?var=val&var2=val2&var3=val3".
HTTP_REFERER is even more worthless, as many browsers and all or most anonimyzing proxies can be configured to not send the REFERER header and/or spoof it - many users use these features in an attempt to protect their privacy. Thus you can't rely on the header being there, nor even on it being accurate, and locking out your valid users because they are trying to defend their privacy is only going to drive your users away.
To protect your scripts against "being backdoored", code them well and adopt strong security habits, such as always validating user input.