Re: [mod-security-users] mod_security in .htaccess files opinions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security in .htaccess files opinions?
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-30 13:37:27
|
Well to be honoust I think it's a job for admins to setup/maintain mod_security. We only configure it in httpd.conf and we think our customers have nothing to do with it. So we don't gonna miss it :) Gerwin Ivan Ristic wrote: >I am thinking about removing the ability of mod_security >to have its configuration directives in .htaccess files. I >am even considering doing that in the forthcoming 1.8.5 >release. I haven't made up my mind yet but I'd like to >know what others think about it. For example: > >* Are you configuring mod_security from .htaccess files? > >* Are you aware mod_security can be used from .htaccess > files (AllowOverride AuthConfig is required)? > >* Would you consider giving other (semi-trusted) people > access to mod_security directives? > >Basically I am not convinced people are aware mod_security >directives can be used from .htaccess files and about >potential consequences. (I am to blame for that, of course, >I should have documented that better.) > >On the other hand, I would hate to break backward >compatibility in a minor, bug-fixing release. So the >other option is to have .htaccess configuration directives >off by default in 1.9.x, and introduce a global directive >to enable it explicitly. > >Would someone care to share their views? > > > |
