httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danie Qian" <dan...@bestningning.com>
Subject Re: [users@httpd] .htaccess for script aliased directories
Date Sat, 26 Apr 2008 06:18:58 GMT

----- Original Message ----- 
From: "Joshua Slive" <joshua@slive.ca>
To: <users@httpd.apache.org>; "Danie Qian" <daniel@bestningning.com>
Sent: Friday, April 25, 2008 8:10 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


> On Fri, Apr 25, 2008 at 4:32 PM, Danie Qian <daniel@bestningning.com> 
> wrote:
>
>>  On second thought, I tested the setting by commentting out the 'require
>> valid-user' line completely to see what the browsor gets for other 
>> methods,
>>  it is actually a 403 forbidden error instead of a open 200. So i guess I
>> was fine with the <limit>GET POST</limit> lines - it only triggers a

>> login
>> prompt for GET & POST while leaving the others forbidden. Am I wrong?
>
> You may or may not create an immediate security problem by using
> <Limit>. But regardless, it is a bad idea. It could easily open a
> security hole in the future if you ever change the configuration of
> the content behind the restriction. And why use a complex config, when
> the simple one is better and more secure?
>

I completely agree with you in a general sense 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message