On Fri, Apr 25, 2008 at 4:32 PM, Danie Qian <daniel@xxxxxxxxxxxxxxxx> wrote: > On second thought, I tested the setting by commentting out the 'require > valid-user' line completely to see what the browsor gets for other methods, > it is actually a 403 forbidden error instead of a open 200. So i guess I > was fine with the <limit>GET POST</limit> lines - it only triggers a login > prompt for GET & POST while leaving the others forbidden. Am I wrong? You may or may not create an immediate security problem by using <Limit>. But regardless, it is a bad idea. It could easily open a security hole in the future if you ever change the configuration of the content behind the restriction. And why use a complex config, when the simple one is better and more secure? Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|