Forum

Having followed the HOWTO, in particular http://www.hiawatha-webserver.org/howto/php_configuration

I started wondering, what's the point of having "expose_php = Off" if one can still test it through site access (eg: website.web/index.php)

I spent some time with the UrlToolkit but had no success.
Is it possible to have Hiawatha strip the file extension of the page accessed?

Example, if someone tries to access "website.web/index.php" or "website.web/index.py" or "website.web/index.asp", he is redirected to website.web/index.php but what is shown on the browser address bar is simply "website.web/index" (or in this particular index case just "website.web").



Thanks


Hiawatha version: 9.2
Operating System: Debian

The reason for setting expose_php to 'off' is to not publish the PHP version you are using. Automated vulnerability scanners created a database of servers running specific version and when an exploit comes out for a specific version, they immediately target servers which run that version.

To hide the index.php file, simply redirect all requests for non-existing files to index.php and let index.php decide how to handle the request (which can be found in $_SERVER["REQUEST_URI"]. Use this UrlToolkit rule for that:

UrlToolkit {
  ToolkitID = generic_rewrite
  RequestURI exists Return
  Match .* Rewrite /index.php
}