Apache Security Tip: Serve php / cgi file using different file type / extension

last updated December 3, 2007 in Apache, FreeBSD, Howto, lighttpd, Linux, Security

It is possible to serve .php or .cgi / .pl file using different file type / extension name. This will improve security. For example, server .html as .php file, add following to your httpd.conf or .htaccess file:
# serve .html files as php files AddType application/x-httpd-php .html # serve .nix files as cgi files AddType application/x-httpd-cgi .nix
If you are using Lighttpd web server add following to serve php as .html file:
fastcgi.map-extensions = ( ".html" => ".php" )

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

2 comment

Lane says:
December 3, 2007 at 7:32 pm
“This will improve security. ”
I may be being thick here, but how so?
Sean says:
December 4, 2007 at 3:53 am
Security through obscurity? Yeah, you’ll confuse some of the punk element, but that’s about it. And you’re adding a _ton_ of effort if you want to use any mainstream web application.

Have a question? Post it on our forum!

Tagged as: cgi files, change script extension, extension name, htaccess file, html files, html php, httpd, improve security, php files, php html, web server