I'm trying to hide the framework name Yii from Wappalyzer plugin in Chrome/Firefox. I need to hide the framework name as a part of security audit.
I've turned off server signatures in Apache config but the framework name Yii is still showing
You can find how the Wappalyzer is detecting Yii here
HTML code
You would need to make sure that your html doesn't contain the code mentioned in html
part.
Powered by...
text is generated by Yii::powered()
so make sure you are not calling that in your layout file.endPage()
method of yii\web\View
so make sure that you have $this->endPage();
call at the end of your layout.Cookies
To avoid this detection you will need to change CSRF token name. You can find how to change it here: how to change csrf field id from YII_CSRF_TOKEN to any other
JS files
This is probably most annoying detection. The detection pattern in Wappalyzer is assuming that assets folders are 8 character long strings. Fortunately there is hashCallback
property in yii\web\AssetManager
see documentation. You can use it to change how the folder names for assets are generated.
This will help you avoid Wappalyzer detection but someone who will take a look at what scripts are loaded would still be able to see that yii.js, yii.validation.js and yii.activeForm.js scripts are loaded. You can copy them to some of your folders, rename them and then customize asset bundles to change the loaded scripts.
You will want to customize following assets:
yii\web\YiiAsset
for yii.js
script.yii\validators\ValidationAsset
for yii.validation.js
script.yii\widgets\ActiveFormAsset
for yii.activeForm.js
script.