On 16 Sep 2008, at 06:57, Hugh E Cruickshank wrote:
That may be the case but their recommendation is still: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
Either they're wrong or you're misreading. But I can see what's happening. It's "chinese whispers", starting from the CIS benchmark. Most likely someone along the way (IBM's tech writer's boss or somesuch) insisted that a meaningful explanation would be too difficult for their lusers, and either didn't understand or didn't care that it's misleading. Security by Cookery. BTDT. I can feel a blog entry coming on. -- Nick Kew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx