> Hi All,Most security guidelines say no to Indexes. It's tolerable to do allow
>
> I would like to hear your idea's of what are the pros and cons if I will
> set
> a specific directive-type for AllowOverride like AuthConfig,
> FileInfo,Indexes, Limit, and Options?
overrides an most things for a development box for developer convenience,
but by the time a site gets to production (particularly outside-facing)
pretty much anything worked out in .htaccess should be rolled into the
httpd.conf.
I would resist, or at minimum get support for not allowing it in QA and
> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?
production. Something you can use for support is the CISecurity Apache
Benchmark. It's downloadable for free from cisecurity.org. I just took a
quick look and they recommend "AllowOverride None".
Sheryl
>
> Thanks.
> James
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|