From: Nick Kew Sent: September 15, 2008 19:43 > > On 16 Sep 2008, at 02:44, Hugh E Cruickshank wrote: > > > Right now if someone were to attempt to access these subdirectories > > (i.e. http://www.example.com/cgi-bin) they would receive a 403 > > Forbidden error message. Unfortunately this is not quite acceptable > > to the IBM Rational AppScan utility which recommends that a 404 > > Not found error should be issued. > > I suspect you're misreading your AppScan. That is a good possibility. > It's warning about potentially exposing your filesystem information. Most probably. > But there's nothing secret about a directory containing a web-facing > application! That may be the case but their recommendation is still: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely. > Having said that, rtfm ErrorDocument for one way to do what you ask, > if it's for some ignorant PHB's box-ticking exercise. Colour me stupid but as far as I can tell ErrorDocument only provides for the replacement of the text of a message. I can not see how it can be used to force a 404 instead of a 403. Thanks for your response anyway. Regards, Hugh -- Hugh E Cruickshank, Forward Software, www.forward-software.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx