httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject [PATCH] mod_log_forensic security considerations
Date Tue, 29 May 2012 17:36:42 GMT

Infra got bit by mod_log_forensic logs including Authorization headers
and being world-readable, so in an effort to save someone else from
repeating this mistake how about adding it to the "Security
considerations" section of the documentation:

Index: docs/manual/mod/mod_log_forensic.xml
--- docs/manual/mod/mod_log_forensic.xml	(revision 1342688)
+++ docs/manual/mod/mod_log_forensic.xml	(working copy)
@@ -93,6 +93,10 @@
     document for details on why your security could be compromised
     if the directory where logfiles are stored is writable by
     anyone other than the user that starts the server.</p>
+    <p>The logfiles may contain sensitive data such as the contents of 
+    <code>Authorization:</code> headers (which can contain passwords), so
+    they should not be readable by anyone except the user that starts the
+    server.</p>

Perhaps it would be a useful feature to allow excluding those headers
from being logged, too.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message