Re: [users@httpd] changing the error status code for forbidden resources

Wed, 23 May 2007 06:22:46 -0700

Thanks! I really appreciate your input. It may be a waste of time for you but not for someone like me who has just started to learn such things. 
bpg

Joshua Slive wrote:

On 5/22/07, Bhagwati Gupta <[EMAIL PROTECTED]> wrote:

Hi,
    I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My local
web security team has examined the system and generated a detailed
security report. One of the issues that I am having difficulty to fix
relates to hidden directories. I have been advised to change the server
configuration such that '404 - not found' response is issued for
forbidden resources as opposed to '403 - forbidden' response. I have
tried looking on the web but have yet to find anything that could solve
my problem. I am not sure exactly how server responses for hidden
directories (or missing files) can be customized. Could you please help?
Thanks!


Sounds like a silly waste of time to me. (Actually, it's more than a
waste of time, it is deliberately crippling of HTTP.)

But anyway, if you want to lie about error codes, you can go all the
way and change the to redirects:

ErrorDocument 404 http://example.com/not_found.html
ErrorDocument 403 http://example.com/not_found.html

If you just want to lie about 403 only, then the only way I know
(other than editing the code)  is to point to a cgi script that emits
its own "Status: 404" header:
ErrorDocument 403 /cgi-bin/lie-about-the-status-code.pl

Joshua.

---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server 
Project.

See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to