tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: [OT] WEB-INF
Date Thu, 11 Jul 2013 13:52:18 GMT
Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is
not allowed to be requested by the browser - its a simple enforcement
mechanism to prevent users from direct access to calling jsps. (Since it
may be common to have jsp's as snippets for header / footers etc -- and
there for they might be able to be called in surprising ways and exposing
funny attacks)

On Wed, Jul 10, 2013 at 6:08 PM, Leo Donahue - RDSA IT <> wrote:

> When did it start that developers decided to place jsps in the WEB-INF
> directory?  Was that intended from the beginning, or was it stumbled upon?
> Leo

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message