The usefulness of this method is very limited. The numeric response code (200, 403, 404, 500 etc) that apache sends along with a custom error page remains unchanged. Even if your document says something generic (or even false), apache is still being quite specific (and truthful) about the problem it is reporting. Anyone doing a brute scan will likely pay more attention to the numeric code than to anything in the document body. This might fool a curious punk who is typing things in the location bar of his mainstream browser, but it is basically useless against any attack more sophisticated (i.e. automated) than that. Protection that is so trivially circumvented is perhaps worse than none at all, as it can lead one to let down his guard (c.f. trusting HTTP_REFERER for resource authorization). Not to mention the obvious problem of hiding useful trouble-shooting information from legitemate users/developers/administrators, etc. The apache 'ErrorDocument' directive can make your site prettier and more user friendly, but will not do much to increase security. Mariusz Woloszyn <emsi@ipartners.pl> wrote: > You can allways change error files in apache conf: > > ErrorDocument 404 /error/blah.html > ErrorDocument 403 /error/blah.html > > > -- > Mariusz Wołoszyn > Internet Security Specialist, Internet Partners
