httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <>
Subject Re: [users@httpd] Directory hiding
Date Tue, 16 Sep 2008 23:41:37 GMT
Nick Kew wrote:
> On 16 Sep 2008, at 06:57, Hugh E Cruickshank wrote:
>> That may be the case but their recommendation is still: Issue a "404 -
>> Not Found" response status code for a forbidden resource, or remove it
>> completely.
> Either they're wrong or you're misreading.
> But I can see what's happening.  It's "chinese whispers", starting from
> the CIS benchmark.  Most likely someone along the way (IBM's tech
> writer's boss or somesuch) insisted that a meaningful explanation
> would be too difficult for their lusers, and either didn't understand or
> didn't care that it's misleading.
> Security by Cookery.  BTDT.  I can feel a blog entry coming on.

Technically, cooking is following a detailed set of instructions, one 
set for each item being cooked, so it's not quite as bad as it sounds.

I don't disagree with the conclusion in this particular case, hiding 
filesystem structure in the documentroot is not an improvement in security.
I'm always concerned with security issues, but it's in the app code and 
data verification that I see as being where to focus my attention. At 
least until such time as updated underlying technologies are implimented 
to address the security issues.

Since the internet was built at a time and in an environment where 
security wasn't a concern at all, the core technologies need to be 
rebuilt with security as a priority. That would probably impact the HTTP 
Server and many other projects, requiring a lot of work to have them 
function with the new system(s) properly.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message