Search code examples
phpsecurityopen-source

Fully open source website

I have a theoretical question about building a fully open source website. I'd like to know if I can code a website, let's say in PHP, which is both functional and transparent, so users can enjoy the functionality of the website and read the code which makes the website possible.

For example: index.php is a fully functional index page coded in PHP and let's say a user wants to see the code of index.php so he can be 100% percent sure of everything done on the server side.

Would something like this be possible?

Solution

  • So let me get this right; you don't just want to provide the source code for the website, but also to prove to any visitors that the site is in fact hosted and running on the provided code?

    You might be able to make something that seems fairly convincing (exposing the inner files in your system directly through a browser?), but I'm not sure you can ever prove your claim formally.

    Think about it: Even if you expose the inner guts of your application via the browser, you're still controlling everything that is being shown, so how can you possibly convince a visitor that what they are seeing is not just a fake copy that appears similar to your publicly facing site?

    In any case, why would you want to do this? Yes, I know you asked this as a hypothetical question, but let's consider the practical consequences anyway: Assuming your goal is to make your users trust you and your service, you can probably achieve this more easily by following a few simple rules.

    • Provide the source code for your system in an open repository (e.g. Github), and provide information about this.
    • Provide other relevant information openly, and behave professionally and with integrity.

    At some point, it comes down to basic trust, no matter what you do. If you behave openly and with integrity, and go to some length to show that you take security seriously(*see below), people are generally likely to trust you. Why? Because people are generally trusting of others so long as they can not see any incentive for you to be fooling them (whether this is wise another discussion).

    (*) Sidenote: Please do and show that you take security seriously, don't just claim to do it!

    How? Apply best practices for security (updated certificates and encryption, safe storage and handling of sensitive data, etc), and document this openly. A good description of reasonable security measures taken will indicate that you know what you are doing, and make it seem less likely that you're faking it.