[mod-security-users] Recommeded vs Minimum Configuration
Brought to you by:
victorhora,
zimmerletw
From: Ann H. <sea...@ha...> - 2005-03-10 00:52:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is just a question between the difference between the recommended minimum configuration in the documentation and the minimum configuration for httpd.conf in the distribution. DOCUMENTATION: SecFilterCheckCookieFormat Off (Includes HEAD and a semicolon at the end) # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Type \ "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" DISTRIBUTION COPY: SecFilterCheckCookieFormat On # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" Also is default status code 403 (forbidden) a better choice than 500 (server bad) as I have seen 500 recommended in an article. Thanks, Beginning mod_security user and small-time webmaster Ann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCL5o7hs7JGk93PT0RAg9bAKC2OiKsymYvmLidX8ksOKMvF4Ua4gCguJas VqTQ0A38mJmSdKSXlAl4Hc0= =l8el -----END PGP SIGNATURE----- |