Re: [mod-security-users] Recommeded vs Minimum Configuration
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Recommeded vs Minimum Configuration
|
From: Ivan R. <iv...@we...> - 2005-03-10 09:43:25
|
Ann Hopkins wrote: > DOCUMENTATION: > SecFilterCheckCookieFormat Off Since 1.8.7 the SecFilterCheckCookieFormat directive does nothing (read about it in the manual). I don't see this changing in the future. > (Includes HEAD and a semicolon at the end) > # Only accept request encodings we know how to handle > # we exclude GET requests from this because some (automated) > # clients supply "text/html" as Content-Type > SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain > SecFilterSelective HTTP_Content-Type \ > "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" This is better. HTTP clients are not required to send a Content-Type header when HEAD is used. The semicolon at the end is not very important - I am yet to encounter a valid HTTP client that does not use it. > Also is default status code 403 (forbidden) a better choice than 500 > (server bad) as I have seen 500 recommended in an article. They are the same. 500 is somewhat "more stealthy" because it could be interpreted as internal error (and error often occur when someone is trying to hack). 403 implies the web server determined the request may be bad in some way. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
