You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bhagwati Gupta <bp...@yahoo.com> on 2007/05/22 22:55:07 UTC
[users@httpd] changing the error status code for forbidden resources
Hi,
I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My local
web security team has examined the system and generated a detailed
security report. One of the issues that I am having difficulty to fix
relates to hidden directories. I have been advised to change the server
configuration such that '404 - not found' response is issued for
forbidden resources as opposed to '403 - forbidden' response. I have
tried looking on the web but have yet to find anything that could solve
my problem. I am not sure exactly how server responses for hidden
directories (or missing files) can be customized. Could you please help?
Thanks!
bpg
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] changing the error status code for forbidden resources
Posted by Bhagwati Gupta <bp...@yahoo.com>.
Thanks! I really appreciate your input. It may be a waste of time for
you but not for someone like me who has just started to learn such things.
bpg
Joshua Slive wrote:
> On 5/22/07, Bhagwati Gupta <bp...@yahoo.com> wrote:
>> Hi,
>> I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My local
>> web security team has examined the system and generated a detailed
>> security report. One of the issues that I am having difficulty to fix
>> relates to hidden directories. I have been advised to change the server
>> configuration such that '404 - not found' response is issued for
>> forbidden resources as opposed to '403 - forbidden' response. I have
>> tried looking on the web but have yet to find anything that could solve
>> my problem. I am not sure exactly how server responses for hidden
>> directories (or missing files) can be customized. Could you please help?
>> Thanks!
>
> Sounds like a silly waste of time to me. (Actually, it's more than a
> waste of time, it is deliberately crippling of HTTP.)
>
> But anyway, if you want to lie about error codes, you can go all the
> way and change the to redirects:
>
> ErrorDocument 404 http://example.com/not_found.html
> ErrorDocument 403 http://example.com/not_found.html
>
> If you just want to lie about 403 only, then the only way I know
> (other than editing the code) is to point to a cgi script that emits
> its own "Status: 404" header:
> ErrorDocument 403 /cgi-bin/lie-about-the-status-code.pl
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] changing the error status code for forbidden resources
Posted by Joshua Slive <jo...@slive.ca>.
On 5/22/07, Bhagwati Gupta <bp...@yahoo.com> wrote:
> Hi,
> I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My local
> web security team has examined the system and generated a detailed
> security report. One of the issues that I am having difficulty to fix
> relates to hidden directories. I have been advised to change the server
> configuration such that '404 - not found' response is issued for
> forbidden resources as opposed to '403 - forbidden' response. I have
> tried looking on the web but have yet to find anything that could solve
> my problem. I am not sure exactly how server responses for hidden
> directories (or missing files) can be customized. Could you please help?
> Thanks!
Sounds like a silly waste of time to me. (Actually, it's more than a
waste of time, it is deliberately crippling of HTTP.)
But anyway, if you want to lie about error codes, you can go all the
way and change the to redirects:
ErrorDocument 404 http://example.com/not_found.html
ErrorDocument 403 http://example.com/not_found.html
If you just want to lie about 403 only, then the only way I know
(other than editing the code) is to point to a cgi script that emits
its own "Status: 404" header:
ErrorDocument 403 /cgi-bin/lie-about-the-status-code.pl
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org