On 24/02/2012 11:52 a.m., Roman Gelfand wrote:
Hi Amos, I could be wrong, but I understood from your several posts that this type of configuration is not recommended (either due to security issues or performance, I don't remember exactly). Is that right?
*redirect*, (using deny_info or redirector program which does real 3XX status redirects) is fine and a built-in feature of HTTP. Since what it does is inform the client browser/agent to change the URI being requested. Keeping any state between the server and client synchronized. Security, behaviour expectations and working state is all kept predictable.
*rewrite*, (using a redirector/rewriter to alter the URL in-transit) is not recommended on grounds of being complex with many breakages from the client browser/agent being unaware of the URL change. re-write is at heart a cross-site/XSS attack, in the same ways that intercept proxy is a MITM attack. Intending for it to happen does not change the side effects or lessen the risks.
Amos
