Disable ServerSignature

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

DavidIQ wrote:
Louis7777 wrote:Yes, and the .htaccess files are mainly for Apache web servers. Still, we have them.
Yes because they're needed for url rewriting, not to change server configuration. There is also a web.config file.
And so they mainly benefit Apache and IIS servers. Apache web servers alone are used by more than 50% of the Internet's websites. So "the change here that only benefits Apache web servers" is quite the beneficial change.

And if you can change server configuration to your benefit I don't see what's wrong with it?

Other notable open source platforms that I use don't have any hesitation to enforce the desirable server configuration (if it can be applied of course). OpenCart for instance, takes security very seriously (since it's an e-shop platform), and offers a number of configuration options in its root .htaccess (such as max upload file size and max execution time for scripts) including "Options -Indexes" to prevent directory listings.
DavidIQ wrote:
Louis7777 wrote:Anyway, it's just one line that benefits security - what's wrong with it?
That it provides a false sense of security since it would only apply to one folder? Doesn't really provide a whole lot of benefit and one could even argue it might be harmful to have the user think that everything is somehow ok with this "one line" in place. In any case if the developers want to add it then that's fine of course. I'm just giving my opinion. ;)
The OP suggested that we place it in the root .htaccess which means that it would apply for all the folders.

And the code is just this:

Code: Select all

# Disable server signature
ServerSignature Off
I don't see how the owner would get any false ideas about his security. If he opens the .htaccess file and reads "Disable server signature" he'll either know what that means or he'll google it and find out. I doubt that he'll read anywhere that it will make his website 100% hackproof. And if he doesn't ever open the file to read it, then no harm done.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 299
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Disable ServerSignature

Post by Nicofuma »

I agree with David, this is unrelated to phpBB. Also, if we would use the .htaccess to inforce the default security we shouldn't set only this single var, but all the var which could be used in this goal.

About the url rewriting it's completely unrelated because it is directly related to a feature of the software and if there is the config for apache and IIS only it's because we know how to configure them with a simple file in the root directory. If you know how to do the same for an other http server feel free to create a ticket and to send a PR.
Member of the phpBB Development-Team
No Support via PM

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

Nicofuma wrote:Also, if we would use the .htaccess to inforce the default security we shouldn't set only this single var, but all the var which could be used in this goal.
I don't see why there would be such pressure involved, especially if the other settings are not a case of only one line of code. In this case there was a legitimate request by the OP. Of course he can still add it himself.
Nicofuma wrote: About the url rewriting it's completely unrelated because it is directly related to a feature of the software and if there is the config for apache and IIS only it's because we know how to configure them with a simple file in the root directory. If you know how to do the same for an other http server feel free to create a ticket and to send a PR.
There are a few sample configuration files for other web servers in the docs/, but two of them haven't been updated in years...

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

Louis7777 wrote:The OP suggested that we place it in the root .htaccess which means that it would apply for all the folders.
Didn't realize that but that's even worse and even less related to phpBB. Administrators are directed to upload the phpBB folder in the package or it's contents to a folder on the server. So including a new and random .htaccess file outside of that with separate or additional instructions for it sounds a bit strange. Obviously if someone wants to create a file and drop it in their site root they're more than welcome to do so.
Image

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

DavidIQ wrote:
Louis7777 wrote:The OP suggested that we place it in the root .htaccess which means that it would apply for all the folders.
Didn't realize that but that's even worse and even less related to phpBB. Administrators are directed to upload the phpBB folder in the package or it's contents to a folder on the server. So including a new and random .htaccess file outside of that with separate or additional instructions for it sounds a bit strange. Obviously if someone wants to create a file and drop it in their site root they're more than welcome to do so.
Who said anything about creating a new file? Obviously the case here is the .htaccess file that comes with the phpBB folder...

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

Louis7777 wrote:Who said anything about creating a new file? Obviously the case here is the .htaccess file that comes with the phpBB folder...
Then why would you say it would apply to all folders?
Louis7777 wrote:The OP suggested that we place it in the root .htaccess which means that it would apply for all the folders.
If you meant all folders under the phpBB folder that's exactly what I'm talking about...that it would only apply to the forum's folder, which includes sub folders there, and the rest of the site would still have this setting on. :roll:
Image

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

DavidIQ wrote:
Louis7777 wrote:Who said anything about creating a new file? Obviously the case here is the .htaccess file that comes with the phpBB folder...
Then why would you say it would apply to all folders?
Louis7777 wrote:The OP suggested that we place it in the root .htaccess which means that it would apply for all the folders.
If you meant all folders under the phpBB folder that's exactly what I'm talking about...that it would only apply to the forum's folder, which includes sub folders there, and the rest of the site would still have this setting on. :roll:
Well of course I meant all folders under the phpBB folder. That's the package that phpBB offers and whose development we are discussing about. At least nothing under that folder will give away details about the server.

So what about folders on upper directories you say? Those may not even have the directory views disabled apart from the server signature. On the other hand, phpBB cares to prevent them. So what can be done? Always set an example. That. The user might study the code of his software and follow.

User avatar
John P
Posts: 157
Joined: Sun Nov 04, 2012 7:39 am
Location: Netherlands
Contact:

Re: Disable ServerSignature

Post by John P »

I also turned it off as many people where looking at files and version numbers. Think for a good package it is also the responsibility of the manufacturer of the package.
It is easy said the host should do this but it is as easy for the manufacturer of the software package.
People can ask if they want to know version numbers or other stuff.

samwisesk8r
Registered User
Posts: 11
Joined: Sat Aug 23, 2014 7:24 pm

Re: Disable ServerSignature

Post by samwisesk8r »

@John that is y I proposed it and since I am lazy to disable it myself.. the less things I have to remember for each installation the better :D

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

So, is it worth creating a ticket for this?

Post Reply