How to hide Yii Web Framework name from Wappalyzer?

Question

I'm trying to hide the framework name Yii from Wappalyzer plugin in Chrome/Firefox. I need to hide the framework name as a part of security audit.

I've turned off server signatures in Apache config but the framework name Yii is still showing

Answer 1

You can find how the Wappalyzer is detecting Yii here

HTML code

You would need to make sure that your html doesn't contain the code mentioned in html part.

1. The Powered by... text is generated by Yii::powered() so make sure you are not calling that in your layout file.
2. You will change the name of CSRF token input so the second line is not a problem
3. These blocks are replaced when you call endPage() method of yii\web\View so make sure that you have $this->endPage(); call at the end of your layout.

Cookies

To avoid this detection you will need to change CSRF token name. You can find how to change it here: how to change csrf field id from YII_CSRF_TOKEN to any other

JS files

This is probably most annoying detection. The detection pattern in Wappalyzer is assuming that assets folders are 8 character long strings. Fortunately there is hashCallback property in yii\web\AssetManager see documentation. You can use it to change how the folder names for assets are generated.

This will help you avoid Wappalyzer detection but someone who will take a look at what scripts are loaded would still be able to see that yii.js, yii.validation.js and yii.activeForm.js scripts are loaded. You can copy them to some of your folders, rename them and then customize asset bundles to change the loaded scripts.

You will want to customize following assets:

• yii\web\YiiAsset for yii.js script.
• yii\validators\ValidationAsset for yii.validation.js script.
• yii\widgets\ActiveFormAsset for yii.activeForm.js script.