Michael J. Radwin

Tales of a software engineer who keeps kosher and hates the web.

Hiding .php extensions in Apache

Here’s a neat little trick. If you want to serve out PHP scripts without showing the .php extension, you can add something like this to your httpd.conf file:

DefaultType application/x-httpd-php

DirectoryIndex index index.html

Those directives will tell Apache that if there is no extension on a file, it should run the file through the PHP interpreter. On the filesystem itself, any PHP scripts can be called foo.php or simply foo (i.e. have no extension at all).

In a standard Apache configuration, DefaultType is set to text/plain. This may have made sense in 1996, but these days pretty much everything is HTML.

The DefaultType approach is substantially more efficient than Options MultiViews because there is no need to do readdir() calls to figure out what file to serve out. It gives the added flexibility that if you ever rewrite part of your site to use a different technology (switch to mod_perl or whatever) that the links won’t rot. And it’s 4 bytes less to send for each GET request!

Hiding the .php extension doesn’t really make your site any safer, because anyone who wants to hack your site can simply guess that you’re running PHP behind the scenes and attempt well-known exploits. This could be best described as “security through obscurity” which gives engineers a warm and fuzzy feeling, but isn’t really any more secure.