Reputation: 5664
Prevent exposing Laravel usage
I use Wappalyzer add-on on chrome and recently it started finding out about the usage of Laravel framework on my projects.
how does it know about this and how can I hide this?
I think it may be because of one of the cookie's name that Laravel sets automatically, but have no idea how can I change it's name.
Cookie Name: laravel_session
EDIT: thanks to David's answer I could change cookie's name but it still tracks Laravel, so it shouldn't be the way Wappalyzer finds out about Laravel.
EDIT2: I've created a new controller and it didn't detect the framework! It seems that Wappalyzer caches the results for each URL!
Upvotes: 9
Views: 8475
Answers (5)
Reputation: 4151
now it all went to https://github.com/AliasIO/wappalyzer/blob/master/src/technologies.json
so as project config/sessions.php shows this for cookie:
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel_session'), '_').'_session'
)
we have to proceed to its env() argumeent
(which is laravel_session as a default value in case the env() fails).
THUS we have just to
get in .env file and change its APP_NAME 's value
Upvotes: 2
Reputation: 174
When requesting the laravel website for the first time with the laravel_session prefix while the detection plugin is running, Laravel website techs are detected and stored, so in the next time even if you've changed the prefix the laravel detected icon will still showup.
Best thing is to not ever activate the plugin while developing on the production server, and make sure to uncheck in plugin options the "send data to the server".
Upvotes: 6
Reputation: 1769
In laravel 5.7 and 5.8
If you want to hide it from Wapplyzer than you can change it in below way.
Change APP_NAME=Laravel to APP_NAME=Any Name You want in .env file.
Upvotes: 5
Reputation: 69
In the new laravel 5.2, you can change the cookie session name
By going to the config folder in the root of your laravel project and then session.php, scroll down till line 112 and
change this from 'cookie' => 'laravel_session', to w.e you want.
Upvotes: 5
Reputation: 14620
It's probably the laravel cookie. It has a distinguishing feature in it's name 'laravel_session'. It would certainly explain where it gets the usage stats from. You can change the name of the cookie in app/config/session.php.
Edit
So Wappalyzer uses json to specify what it should be looking for. This is how it identifies Laravel:
"Laravel": {
"website": "laravel.com",
"cats": [ 18 ],
"headers": { "Set-Cookie": "laravel_session" },
"implies": "PHP"
}
It uses the headers property to identify what's going on. This would imply it does use the cookie name only...
For the complete list of app tracking rules, they're on the GitHub repo.
Upvotes: 19
Related Questions
- Laravel, how to ignore an accessor
- how to make laravel 9 api-only?
- make laravel api only accesible by logged users in laravel 7
- disable access to Laravel API from browser
- Laravel - Don't allow user to access other user data
- laravel4 View::share usage
- laravel 4.2. user permissions and hiding link source
- Laravel 4: protecting routes provided by a controller
- Laravel 4: prevent access to any file or folder except public
- Laravel: configuring to protect sensitive info