Remove C5 Head Content - Php

When you visit a site running C5 you will typically see the following lines of code in the head tags:

<script type="text/javascript">
var CCM_DISPATCHER_FILENAME = '/index.php';
var CCM_CID = 1;
var CCM_EDIT_MODE = false;
var CCM_ARRANGE_MODE = false;
var CCM_IMAGE_PATH = "/updates/concrete5.4.1.1/concrete/images";
var CCM_TOOLS_PATH = "/index.php/tools/required";
var CCM_REL = "";
<link rel="stylesheet" type="text/css" href="/updates/concrete5.4.1.1/concrete/css/ccm.base.css?v=e00e8ce59e3521533bb4e67744a6e542" />
<script type="text/javascript" src="/updates/concrete5.4.1.1/concrete/js/jquery.js?v=e00e8ce59e3521533bb4e67744a6e542"></script>
<script type="text/javascript" src="/updates/concrete5.4.1.1/concrete/js/ccm.base.js?v=e00e8ce59e3521533bb4e67744a6e542"></script>

This was taken off the source code of a random site from the showcase. You can check it out here:

C5 automatically generates this when you put:

<?php Loader::element('header_required');?>

In place of the title tags.

1. For security reasons, how can you hide this code from regular (non editing) visitors?

- Its not necessary for typical visitors and it gives away the CMS name for exploitation.

Use an if statement to check if the user is logged in?

- If not logged in send a separate .php replacement with just the <title>page</title>
- If logged in - send the editing header file

Any solutions are greatly appreciated!

View Replies: View Best Answer
olliephillips replied on at Permalink Reply
Agree you can identify the CMS in use from that, not sure it presents a security risk unless your version has known exploits, but do very much agree that less disclosure is better.
cowland replied on at Permalink Reply
Ok, after a little bit of messing around with my site I put together the following code which can be used in the head:

  $u = new User();
  if($u->isRegistered()) {
  else {
   $page = Page::getCurrentPage();
   echo '<title>'.$page->getCollectionName().'</title>';

For showing CMS header only to those who need it.
Mnkras replied on at Permalink Best Answer Reply
I really advise you not to do that, it can cause tons of problems especially with addon's.

Copy /concrete/elements/header_required.php to /elements and you can remove the meta generator, also for that use $u->isloggedin(); not registered but I highly advise people to not do what was posted above!
goldhat replied on at Permalink Reply
It is almost impossible to entirely hide the identity of a site CMS and that is not at all unique to C5. It is very simple to detect WordPress or Drupal sites as well. Even if there is no clear identifier in the code source, a script can often detect the CMS by testing for certain directories or files they know exist in the given site. In Drupal for instance we can check for CHANGELOG files to be a in a certain location.

I would imagine even if you succeed in removing this code from the head, there are other simple ways to test if a given site is running C5.