Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By steff2009 on
Hi,
I'm wondering if there exists a way not to show too many details of my website in the html page code.
For example, I don't like that while the browser is opening a page with a dynamic block, the status bar says "Downloading image /sites/default/files/ddblock/home ddblock/image.jpg" and that the source code shows all details about my site, template, folders, drupal settings, jquery, etc.
Is there a way to hide some of these details in the public source code?
Thank you.
Comments
I need to hide them too...
I too need to hide these details...it makes sense for security purposes too.
Hi, need this info too...any
Hi,
need this info too...any luck anyone?
Nobody replied... :(
Any help? Or is this something non-drupal orthodox?
=-=
It's a bit of a silly request.
Ideally, to hide paths to images and such would mean you can't use those images and such as the browser can't render images and javascript it doesn't have a path to.
Don't want to make it obvious for attackers
Hi,
I understand that you do need to show paths for both images, js and the like, just don't want to make it too obvious.
What I want to avoid is giving unnecessary info to hackers/attackers such as what platform I am using because the less they know about your site the more likely they will just move onto another one that is more easy to attack.
Drupal is great and has security and updates constantly. However, these malicious attackers are always finding new ways to and often for fraud...and most of the time before you know about an attack or vulnerability because it has already happened.
For example, having this on the page source is just too obvious
jQuery.extend(Drupal.settings, { "basePath": "/", "googleanalytics": { "...is very obvious
also
meta name="DC.title" ...is less obvious...and so forth.
=-=
if you are that caught up in this, you can solve the problem shown above, I'd think, by not using the google analytics.module and hard code the google code to your page.tpl.php.
I've a hard time buying into the idea presented though. Especially considering that it's pretty easy to tell you are using drupal by looking at the rendered source, even if you remove the word drupal in every possible place. You would have to change the entire structure.
If it was exposing version information, ok I'd certainly buy into it more.
you are aware there are sites out there that allow do a fairly good job and telling others what code base was used?
Isn't it down to the server
Isn't it down to the server to provide non (direct) access to these folders? So the fact they are shown is irrelevant. A index.html file in each folder would basically prevent browsing to these folders but I notice that Drupal does not do this.
.htaccess
.htaccess
If you're really that paranoid -
Build your site in Flash. =/ It's really the only way you're gonna keep out users who want in, and even then I wouldn't say it's very effective. You can use access rules to keep everyone but the most determined users from reaching those folders, but there's no way to actually hide where the images are stored.
Also, just to point a few things out - go take a look at the Firefox extensions that are around. Even if you did manage to hide an images path from plain view, a slightly tech-savvy user could find out where it's at in a heartbeat.
Hackers, spammers, etc.
Are really not that big of a worry. Drupal is a pretty secure platform, from what I've been able to tell, and security issues are usually patched shortly after they're discovered. If you use a Private Download method, it'll help a little, but if you really don't feel like giving away what platform you're using, you'd just about have to build it yourself.
I know what you mean..
It's this line of code that I don't like..
jQuery.extend(Drupal.settings, { "basePath": "/"....
OK, points taken. Thanks. I
OK, points taken. Thanks. I will make sure my server folders are permissioned (as Drupal tells me) correctly.
That line of code worries me too
jQuery.extend(Drupal.settings, { "basePath": "/"....I'd prefer to have a bit more anonymity due to site security, industry competitors and client confidentiality. It would have been much better if this would have been simply referred to as 'Site.settings' rather than 'Drupal.settings'.
Just to keep the basics hidden from prying eyes.
=-=
except that there are websites and brower addons which can detect which script a site is using without prying eyes viewing the source code.
Need to hide this line too
Same issue here
I would like to hide the drupal name from the source code in this case which is coming up in the line given below to have anonymity over which CMS i am using..
jQuery.extend(Drupal.settings, { "basePath": "/"....
Is putting the google analytics code on page.tpl going to work? Has any one tried it out yet and come up with a solution yet?
=-=
try it on a test site. I don't know if doing so will interact properly with the GA module though.
Side note, removing that won't provide anonymity in any way shape or form. You would have to change the markup of every single module and core to even get close to providing anonymity. ie: just looking at block block code is a tip off in core as to which CMS is being used. Using firebug and checking out css is another method one can use to decipher which CMS is in use.
I don't like this obvious
I don't like this obvious Drupal.settings either. I think any amateur visiting my site should have to do a little research to find out what i am using than having Drupal spelled out for them at their first glance. And i wonder why people in this thread cannot just provide an idea or possible solution to this instead of preaching to the choir. Like duhh...it's dubious, it's doesn't guarantee security, and all of that--Agreed, but WE'LL STILL LIKE TO REMOVE IT!!! So, either provide a solution or be gone!
=-=
It aids to read the entire thread rather than stopping 1/2 way to rant (or be gone!). A solution posted on December 17th is toward the bottom of the thread and requires hacking core.
Little research will have to be done by anyone regardless see: http://www.lullabot.com/articles/is-site-running-drupal
There are also multiple CMS detectors on the web now. http://guess.scritch.org/ for one. There are others that can be installed in firefox as plugin's which do a good job of inspecting the markup to determine which CMS is in use.
And here we go again! Repeating the same thing
Thanks to you, I now know that it is very easy to detect my CMS however, that doesn't answer the question asked. Yet you refuse to stay gone! :)
Practice what you preach my friend--If you had read the entire thread, you'd have noticed i responded to the solution posted before coming back to make this middle post. Reading is fundamental dude! So many essays and only one person provided a solution to the question asked in this thread.
Maybe people should spend their time writing long essays to the people that need them. All the poster wanted was a solution, not your stories ottay?!
=-=
Sweet. Thus this thread can be locked due to your admitted trolling.
Further trolling on drupal.org can lead to stronger action.
Removing the <?php print
Removing the
tags is one of the options, but then if you do that, one must know and always remember to add the .js scripts if you install and removing a module. I found out that www.myplay.com managed to remove it, but I wonder how they did that. How about saving the codes in one .js file?<?php print $scripts ?>and hard code your=-=
js aggregation will combine the files into a single file
myplay isn't trying to "hide" anything. one can find =/sites/all/modules/ and =/sites/all/themes references throughout the source. dead giveaway that it's drupal running the code base. Beyond that MyPlay was highly publicized as using drupal.
and last but not least reading past the custom .js on myplay also reveals
<script type="text/javascript" src="/misc/drupal.js"></script>That said, I'm not sure what you are referring to as to what is actually "hidden"?
care to clarify?
Hi VM, I didn't mean that
Hi VM,
I didn't mean that myplay.com is trying to hide anything. Infact, I got to know about it from the Case Study that was created in Drupal.org (http://drupal.org/node/241344) and I obviously looked at the html source.
But what I meant was, they managed to not using or printing (or whatever you may call it) the code:
jQuery.extend(Drupal.settings, { "basePath": "/"....as I believe this is what this thread is about? To remove that particular code.I'm sorry if I got it wrong.
=-=
That is only present due to certain contrib modules that require it. It isn't seen in a default install of core without contrib modules which would plug into drupal javascript rather than reinvent the wheel.
for example looking at one of my sites, I note:
ctools, admin_menu, dhtml_menu, dialog, skinr are a few modules which add to CDATA. I'm sure there are others. That said, a way to remove it would be to disable the modules that are adding it. Reading the entire section should provide you with the clues to removing it.
If one rereads the original post, one would learn that isn't the OP's only concern. Paths to css files, files folders and the like "as well as" CDATA (drupal.settings) were mentioned.
New handbook page, specially for this Question.
I am tired of this FAQ.
So here's a documentation page that explains why pretending to hide Drupal won't work
.dan. is the New Zealand Drupal Developer working on Government Web Standards
i think core would have to be hacked (ALOT)!
@steff2009 I undersatnd you.
another theing I've been able to login to joomla sites by just 1) looking at their mark up "ah joomla" 2)going to the 'admin login' 3)using a few passwords and bingo! and i dont consider myself a hacker...
**why >admin >YOUR NAME is just silly**
buts its not just the security, you want some one to put in a little effort before knowing the in and outs of your system... like fellow freelancers. keeping them a sneaky step behind you...
while I dont want to and cant mask it completely it would be nice to have that little piece of mind.
for example news.bbc.co.uk , okay which CMS do they use?!
i remember seeing somewhere that they use drupal if they do I think they have all our answers!!
and I would like to add that I cant find their admin page! one less intruder to worry about... see what i'm getting at.
i suspect core would have to be hacked to allow you use your own terms and then shift around your website structure to match.
EDIT:it seems our paranoya will never be understood...he he . plus the post above pretty much settles it. case closed! for me anyway
=-=
I can find no evidence of this theory that site named uses drupal. Have a link from a reputable source to support it?
good Q
sorry if my memory were that clear I'd have stated the source... and I may be wrong as to weather they use drupal or not but my point was an still is - "which CMS do they use?". without this you cant even begin to plan any attack whatsoever which is my point.
drupal just spills the beans tooo easy. and it's not just about obfuscation infact it shouldnt have to do with obfuscation, just being able to restructure your site. you could even achieve more useful things like custom URL's and structures to make your adresses memorable to your users eg: www.somecarsite.com/marques/toyota/corrola
but as I said, I've decided the solid brick wall of "You dont need this fuctionality response" is too much for me to break so i'm giving up on this issue all together... Instead I'll rely on drupals inbuilt security which is apparently bullet proof! I hope it is...
Sorry, really.
I apologize for beating the horse I just killed, but it's all in the aim of trying to make a point clear for everyone.
It's not quite that "You don't need this functionality" (though I understand you feel that way) - it's that this approach to "security" is fundamentally flawed and therefore not supported by anyone who is willing to attack core and make it happen, even if it were sanely possible.
Sometimes the question is just not quite right. Like "How do I make the browser URL show https without setting up a security certificate?". The only answers to that question are "Why?" and "You shouldn't".
If you want to custom-structure your site (you already can) then that's a different question, and one which can happily be answered. On some hosts a request to /admin does cause conflict between Drupal and a control panel. That is a valid complaint, and has work-arounds for. If you want to do a total makeover of all your css classes with no drupalisms at all, you can do that too.
But if the question is "I want to make my site safe from script-kiddies by removing the word 'drupal' from the page source" - then the answer is "think again"
.dan. is the New Zealand Drupal Developer working on Government Web Standards
=-=
based on some research (10 mins tops) using google news.bbc.co.uk *may* be using a custom, internally built, content management system. Seems that many state it is drupal on forums and such with a google search but there are those who state it isn't. If the news.bbc.co.uk site is drupal, I'd figure it would have been front page news as all large outfits that have moved to drupal. It's important to note that not every site on the internet uses open source code.
If you take a look at some of the largest sites known to be using drupal, including whitehouse.gov you will find they aren't obfuscating anything and a view of the source code shows those sites using drupal. I guess I don't understand the idea that if so many high profile sites aren't worried about this, why others would be?
That's entirely not true. One doesn't have to know which script is running to plan an attack or succeed in one. This has already been explained, you're just ignoring the explanation. Most attacks are "random" in nature using XSS techniques. Some research in this area may aid your understanding on how such attacks work.
Noone has said that either. Fact is drupal is created by humans, working on top of other software created by humans, running on hardware built and configured by humans. That said, there is no single script that is now, nor do I believe will ever be in the future "bulletproof" with or without the human element.
FYI
http://buytaert.net/bbc-using-drupal
Some subsidiaries of BBC are indeed Drupal it would seem. (And are not ashamed to let anyone know)
.dan. is the New Zealand Drupal Developer working on Government Web Standards
=-=
gotcha. Though news.bbc.co.uk is not listed there. Very well may be where the users thought comes from though. Thanks.
bullets and the matrix, my synopsis... no not really
by bullet proof i was pointing to the fact that; if we dont have a full proof system we should maximise by taking every little inch of measure. but as you've been frantically saying there's no significant security gain and as dman implies it would be impractical to go through core hacking hell for ... well no real gain.
I guess security is a little more complicated than just "ooh he uses joomla/Drupal..."
I'm not a dev so I hope you can see where I'm coming from.
so i'm not sucking up but..
thanks for bearing with me on this one!
The misconception is common - but outdated
Yeah, to be fair, a quick generic security checklist would usually include some form of system identification lockdown in its top ten ways to try and secure your site. That's why it's a common warning to not leave your phpinfo() page public.
I understand why - if you've only seen the keypoints from a security presentation - not hiding site workings would look like a weakness.
This is partly why I've tried to be so clear and debunk the misconceptions.
Each security approach needs to be weighed up and evaluated in context. The same checklist could also suggest that no access to the system was available from outside the network. Doing that would indeed help to protect your system quite well!
The risks have been looked at by the experts, and the consequences evaluated, and the status is what it is. Though it's possible (and was even popular for a time) to hide the fact that your site ran Apache, IIS, PHP or ASP ... pretty much nobody does that as a security measure any more. The most valid reasons to try and do that nowadays are political - Slashdot used to get a laugh every time it saw an Apache machine running out of Redmond...
Nowadays, this approach is so redundant and futile that a reason not to hide the code is political:
:-B
.dan. is the New Zealand Drupal Developer working on Government Web Standards
Give it a rest yoda! :) who
Give it a rest yoda! :) who gives a [] ?
O_o
You are the one replying to a year-old post :-B
But since you ask - these people, among others, have addressed this question :
greggles, dopry, Morbus Iff, webchick, dww, Gábor Hojtsy , catch, sepeck, VM
.dan. is the New Zealand Drupal Developer working on Government Web Standards
There are ways
This mocking attitude towards a serious security attitude is childish. Drupal has some flaws - like al systems. Just to say "You dont need that feature" because its not there is not searious. The HOWTO is just stupid - infact you should try to make youre site secure.
You can not place theme data outside the theme architecture. What you can do is place it in the main theme folder instead of the site/sitename.com folder. On multisites you can use .htacces to limit witch folders you acces.
.htacces can be used to alter files location.
The most simple way to operate file security is to use "private" file settings. Then the files are placed in a virtual folder.
half-baked pretend cloaking is no help
Which produces the path:
/system/files/images/file.png... which is readily recognizable as "a drupal site". Did that help hide anything?
...Until you hack core beyond recognition.
The HOWTO is somewhat provocative, yeah. The point is that obsfucating a few file paths in itself does not make your site secure.
There are much more real ways to harden your system that actually work. Hiding a small number of filepaths or keywords is not a serious way to secure things.
.dan. is the New Zealand Drupal Developer working on Government Web Standards
I cloak my computer at home
I cloak my computer at home so friends don't know what I'm using
=) just kidding. I do agree that all instances of "drupal" should be removed from public code and it would take all but what 5-10 seconds ? What's the big deal ?
For wordpress installs the first thing I do is remove all instances
of wp- from the code and files. That and all plugin advertiser's promotion gunk that they try to slip in . It takes me 5 seconds with an app. My wordpress install shows no evidence that it's a wordpress site which is cool.
=-=
I venture the idea that it would likely take much longer or it would be already be done. Liklely by anyone in this thread. Can you can qualify the stated time interval by leaving specific steps for others?
Script
Judging by his Wordpress comment, he likely has a regex script that simply removes or replaces a bunch of items recursively. Theoretically you could do the same with Drupal, but I'm not convinced you'd gain any security.
It's kind of like removing "wiki" from all public code in a MediaWiki install. In the best case, it's not going to take very long to figure out what system it is anyway, and, in the worst case, you're going to be out of luck for some contributed modules and themes after you're done butchering any number of CSS selectors.
=-=
Thus still only providing a sense of security through obscurity which doesn't really provide anything but a sense of false security. Gotcha.
Considering the recognizable markup beyond the .js stuff ind rupal and including in wp when wp- is stripped it still seems moot to me. :shruggs:
Can you can qualify the
It's easy all you need is a file name changer, set it up to find every instance of "insert word" and your done. I use MassReplaceIt http://www.hexmonkeysoftware.com/ I can remove on files and the content inside files.
Wordpress has a ton of wp- and it takes me 5-10 seconds ok maybe a few seconds more to remove them. I'm pretty sure there are less instances in Drupal, in fact the only real exposed one is just Drupal.settings. Everything else gets hidden when enabling performance caching. I did managed to find 23 files in Drupal with the instance Drupal.settings, it sounds like a lot but with MassReplaceIt I could have all of those changed to site.settings in a very short time.
The downside to doing this is you would have to also replace in every new module you download prior to installing it. Again this is doable if you are committed to it. I clean (remove wp-) all wordpress plugins and new plugins, it doesn't take long. That being said, it's still a hassle to have to do it.
I like the idea of renaming Drupal.settings to site.settings, it makes sense and should be easy to do.
Performance
In the "performance" area of drupal you can choose to optimize the CSS and JS files used on the site, this will take away some of the obvious paths to drupal.
Obscuring Drupal in page source
While I agree that this is a dubious effort, I have had to do this before in order to satisfy corporate compliance guidelines. A non-obstrusive hacky way to obscure the Drupal.settings call without changing any Drupal core files is as follows:
1. In your custom theme, define a new javascript "Site" variable before the $scripts var:
var Site = Site || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} };
2. In your custom theme page.tpl.php template, swap out the "Drupal.settings" call with "Site.settings:
print str_replace('Drupal.settings', 'Site.settings', $scripts);
3. Also in your page.tpl.php template, AFTER the $scripts variable, add an embed to a custom JS file:
print "/".path_to_theme(); /js/mycustom.js">4. In this custom javascript file, simply copy Site.settings to Drupal.settings:
Drupal.settings = Site.settings;
Now, when you "view source", you won't see any Drupal references. This doesn't stop anyone from further inspecting the embedded js mind you, but there's various common ways to protect or obscure that if you really need to. Again, I agree with the previous posters that this won't stop anyone from figuring out you're using Drupal. However, after working in a number of corporate IT environments, it is often a requirement not to embed third party framework names directly in HTML source, so I understand the need to do this and agree that Drupal should simply change the name of this variable as well.
Note: This is for Drupal 6. Should work in Drupal 5 as long as you change the constructor in Step 1 to match whatever it is in "misc/drupal.js".
Again, this is a HACK, imo.
Joining
Joining
Hi Fubar, Where do you define
Hi Fubar,
Where do you define the new javascript var in step 1? a new js file? or in the page.tpl
Either place should work.
Either place should work.
I just tried it and it broke
Thanks Fubar..I just tried it and it broke my slideshow ; (