The suggestion has been made to me that it is more secure to configure Apache to only return 200 and 404 error codes (or something similar) so that situations that would return any other 4xx or 5xx code will return 404 codes. The reasoning given for this is that it limits the amount of information available to a cracker about what is available from the webroot / how Apache is configured. This doesn't seem to be a good idea to me as it seems that it would violate the principle of returning appropriate error codes as defined in RFC 2616. I am really interested in the opinion of other Apache users / developers though - as I need to have a robust case for action whichever direction turns out to be the best. I have also been told that it is 'more secure' to hide the Apache version number in error reports / etc. This also sounds like 'security by obscurity' to me but again I would really appreciate any robust comments from you guys. Thanks a lot -Rob -- ------------------------------------------------------ "98.5% of DNA is considered to be junk DNA with no known purpose. Maybe it's XML tags." -- Anon "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Kernighan http://www.robhulme.com/ http://robhu.livejournal.com/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|