1. Cookie name can be changed under "Cookie settings", link is lower left main page. Presumably they are suggesting this so you can't identify the software that is setting the cookie by common name, I believe the default is phpbb3_<randomstring> Be aware if you change the cookie name everyone will get logged out.
The preceding dot for the domain is recommended here on phpbb.com but AFAIK it's for compatibility with legacy browsers related to sub domains, not sure why that would be security recommendation.
2,3,4 These are all server configurations.
As 4 relates to phpBB the one place you can positively identify the version of software is through style.cfg in the styles/<style>/ folder. You can add a .htaccess file in styles folder to whitelist or blacklist specific files for public access. The public needs access to .js, images, css, ???etc. There might be other sources to directly identify version I'm unaware of. Indirectly it can be done by examining CSS, markup on the page etc. That of course cannot be blocked,it would be impossible to remove all indirect identification methods for the software/version.
5. Appears to be simple txt file with formatted contact information you would add to servers .well-known directory. It's not related to phpBB.
-------------------------
Quick tip, you can password protect the ADM folder with Apache, this can usually be set up in server control panel.
The preceding dot for the domain is recommended here on phpbb.com but AFAIK it's for compatibility with legacy browsers related to sub domains, not sure why that would be security recommendation.
ini_set('session.cookie_httponly', '1'); can be set in php.ini but it's different code than what you would use in script. session.cookie_httponly=On You'd have to test it but based on the description it may break some functions in phpBB. e.g. Mark forums read, file uploads should be tested.2,3,4 These are all server configurations.
As 4 relates to phpBB the one place you can positively identify the version of software is through style.cfg in the styles/<style>/ folder. You can add a .htaccess file in styles folder to whitelist or blacklist specific files for public access. The public needs access to .js, images, css, ???etc. There might be other sources to directly identify version I'm unaware of. Indirectly it can be done by examining CSS, markup on the page etc. That of course cannot be blocked,it would be impossible to remove all indirect identification methods for the software/version.
5. Appears to be simple txt file with formatted contact information you would add to servers .well-known directory. It's not related to phpBB.
-------------------------
Quick tip, you can password protect the ADM folder with Apache, this can usually be set up in server control panel.
Statistics: Posted by thecoalman — Sat Jul 27, 2024 4:37 am