Hiding .php extensions in Apache

Here’s a neat little trick. If you want to serve out PHP scripts without showing the .php extension, you can add something like this to your httpd.conf file:

DefaultType application/x-httpd-php

DirectoryIndex index index.html

Those directives will tell Apache that if there is no extension on a file, it should run the file through the PHP interpreter. On the filesystem itself, any PHP scripts can be called foo.php or simply foo (i.e. have no extension at all).

In a standard Apache configuration, DefaultType is set to text/plain. This may have made sense in 1996, but these days pretty much everything is HTML.

The DefaultType approach is substantially more efficient than Options MultiViews because there is no need to do readdir() calls to figure out what file to serve out. It gives the added flexibility that if you ever rewrite part of your site to use a different technology (switch to mod_perl or whatever) that the links won’t rot. And it’s 4 bytes less to send for each GET request!

Hiding the .php extension doesn’t really make your site any safer, because anyone who wants to hack your site can simply guess that you’re running PHP behind the scenes and attempt well-known exploits. This could be best described as “security through obscurity” which gives engineers a warm and fuzzy feeling, but isn’t really any more secure.

One thought on “Hiding .php extensions in Apache”

  1. Is this method faster than using:

    AllowOverride FileInfo

    And using .htaccess to:

    ForceType application/x-httpd-php

    ???

    The thing I like about this one is that I don’t have to edit .htaccess every time I want to make a URL without the ?&= syntax.

Comments are closed.