Fingerprinting Protection

When a hacker wants to attack a website, he usually have to identify what kind of technology is used. In our case, there is a lot of signals that identify a Joomla CMS. With .htaccess files we can add a basic protection to avoid this techniques.

The following measures only refers to avoid fingerprinting using .htaccess files. You are NOT protected against this techniques applying only this options. You must configure a lot of things, even on server level, to mitigate this techniques.

  • Disable server signature

Disabling the digital signature that would otherwise identify the server.

For example, if you forbid access to README.txt file and this option is not applied, you will see information about the server if you try to access to that file: If this option is applied, you will not see that info:

  • Disallow PHP Easter Eggs

PHP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes certain HTTP requests with crafted arguments, which will disclose PHP version and another sensitive information resulting in a loss of confidentiality.

For example, if this option it's not applied and we make an special request to our site, we will see information about PHP credits of the version installed in our site: If this option is applied, this query will result in an 403 error:

  • Disallow Access to Sensible Files

By default, it will foribd access to htaccess.txt, configuration.php, configuration.php-dist, joomla.xml, README.txt, web.config.txt, CONTRIBUTING.md, phpunit.xml.dist and plugin_googlemap2_proxy.php files.

For example, if this option is not enabled, you will be able to access to joomla.xml, that include information about our Joomla version: If this option is applied, this query will result in an 403 error: