PHP Security Tip #4
“Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.
Give files and folders with critical information non-default names.
Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.
Do you have a security tip you would like to share? A nugget of security truth you have gleaned through research or life’s school of hard knocks? Log-in and click the contribute button in the upper right hand corner.
=C=
Comments
admin
password
private
protected
what else might come to mind?
J
The two that come to mind for me are:
.htpasswd
passwd
Even putting them outside of your Apache root I wouldn’t use them.
=C=
I regularly give the php directory names like
* Luxmox45
* Padega23
and so on (I actually get them from a password generator script); Surely, nobody can guess these...
In addition, all these directories contain a very simple 'index.php' file which just sets a 404 error code (using the header command) and some text output that looks as if it came from the web server. So just *in case* somebody tried to find out where that goodies are hidden...
Any other ideas?
/sascha