httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Corteciano <ja...@linux-source.org>
Subject Re: [users@httpd] AllowOverride: Pros and Cons
Date Sun, 11 Jul 2010 15:04:48 GMT
Hi Sheryl,

Thanks for your reply.

I'm not sure how can I give users a better solution as they need .htaccess
files on their webroot.

Regards,
James

On Thu, Jul 8, 2010 at 11:42 PM, Sheryl <gubydala@his.com> wrote:

> > Hi All,
> >
> > I would like to hear your idea's of what are the pros and cons if I will
> > set
> > a specific directive-type for AllowOverride like AuthConfig,
> > FileInfo,Indexes, Limit, and Options?
>
> Most security guidelines say no to Indexes.  It's tolerable to do allow
> overrides an most things for a development box for developer convenience,
> but by the time a site gets to production (particularly outside-facing)
> pretty much anything worked out in .htaccess should be rolled into the
> httpd.conf.
>
> > I am just concern about security matters that will produce if I will give
> > the user full access on .htaccess (AllowOverride All) on their webroot?
>
> I would resist, or at minimum get support for not allowing it in QA and
> production.  Something you can use for support is the CISecurity Apache
> Benchmark.  It's downloadable for free from cisecurity.org.  I just took a
> quick look and they recommend "AllowOverride None".
>
> Sheryl
>
> >
> > Thanks.
> > James
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message