From: Tavis R. <ta...@ca...> - 2002-01-02 16:52:58
|
On Wednesday 02 January 2002 00:00, Chuck Esterbrook wrote: > On Tuesday 01 January 2002 08:58 pm, Edmund Lian wrote: > > Indeed. If so though, why even give the would-be cracker such > > precise information? Perhaps a 404 error should be returned no > > matter what the cause, and just use a FilesToProtect setting > > alone to simplify things. I'm not sure that having such > > granularity (FilesToProtect and FilesToHide) would buy us > > anything extra. > > I agree. Unless someone has an argument for 403 Forbidden, I prefer > to just have 404 Not Found. > I'm not sure we gain anything extra by returning a 404 instead of 403. This is essentially security by obscurity, but it's not clear what we're trying to obscure. Anyone familiar with WebKit will know that .pyc files exist and that .py~ files probably exist. What else might we be revealing? On the other hand, a 404 error in the logs mean something different than a 403 error. Using 404 in this case would obscure what is really going on with bogus requests. Apache returns 403 for a .htaccess, .htpasswd, etc. so I prefer it to 404. In fact, it returns 403 even if those files don't exist. The WebKit stuff is all happening after the webserver's initial request processing so those who do want a 404 message can still use mod_rewrite to get one. Tavis |