CodeIgniter Forums
How do these sites know what framework I'm using and how do I hide it? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: How do these sites know what framework I'm using and how do I hide it? (/showthread.php?tid=63561)



How do these sites know what framework I'm using and how do I hide it? - Taylor - 11-13-2015

Sites like http://builtwith.com can easily tell what framework I'm using to build the site. How can I hide this information from them?

And how do they know? Like what do they look for?


RE: How do these sites know what framework I'm using and how do I hide it? - CroNiX - 11-13-2015

They could be doing things like reading license.txt from your base dir, which comes with CI. Or maybe a composer file.


RE: How do these sites know what framework I'm using and how do I hide it? - mwhitney - 11-13-2015

Honestly, when I put in my own website I'm surprised about one or two things that come up, but there's no sign of CodeIgniter in that listing. Most of the other things they list are advertised in one way or another by the server itself, and most of the client-side items can't be hidden, anyway.

The items CroNiX mentions are certainly possibilities, but if that's the case, you should probably prevent outside users from reading those files.

It's also possible that they're checking for some of the defaults configured by the framework.

Since I don't know the details of how they're figuring it out, the only thing I can really recommend is to make sure you're not serving up files on your site other than those which need to be public for your site to function, and maybe change the name of your default controller, and check some other settings, like sess_cookie_name and csrf_cookie_name. I'm guessing that a cookie named 'ci_session' is a big indicator for sites like that, since CodeIgniter is otherwise pretty good about not advertising itself.


RE: How do these sites know what framework I'm using and how do I hide it? - orionstar - 11-13-2015

Builtwith can recognise CodeIgniter based on the directory structure (and index.html files in every dir) afaik.


RE: How do these sites know what framework I'm using and how do I hide it? - mwhitney - 11-13-2015

(11-13-2015, 12:02 PM)orionstar Wrote: Builtwith can recognise CodeIgniter based on the directory structure (and index.html files in every dir) afaik.

If they can see the directory structure of your site and the index.html files in those directories, you've probably got bigger things to worry about than whether they can recognize what framework you're using.


RE: How do these sites know what framework I'm using and how do I hide it? - orionstar - 11-13-2015

(11-13-2015, 12:44 PM)mwhitney Wrote:
(11-13-2015, 12:02 PM)orionstar Wrote: Builtwith can recognise CodeIgniter based on the directory structure (and index.html files in every dir) afaik.

If they can see the directory structure of your site and the index.html files in those directories, you've probably got bigger things to worry about than whether they can recognize what framework you're using.

They not see anything on my sites, I don't have application and system folders and I use .htaccess rewrite rules to prevent access.

I think you may be right about cookie tracking. I have old sites with the default cookie name and they are recognised by builtwith but if I try out other sites with different cookie names then builtwith cannot recognise the framework.


RE: How do these sites know what framework I'm using and how do I hide it? - Diederik - 11-13-2015

I can confirm that these tools (among other indicators) use the default session cookie name as a method to determine what system is running a particular site. After changing this setting the known tools where unable to determine codeigniter on my project.

Code:
$config['sess_cookie_name'] = 'ci_session';

But apart from that every thing you leave default (in output to webbrowser) can be used to identify the system, for example a default generated 404 error, some directly accessable file (some default css file for example) or a non deleted welcome page could be used as fingerprints to determine it.