httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hugh E Cruickshank" <>
Subject RE: [users@httpd] Directory hiding
Date Tue, 16 Sep 2008 05:57:49 GMT
From: Nick Kew Sent: September 15, 2008 19:43
> On 16 Sep 2008, at 02:44, Hugh E Cruickshank wrote:
> > Right now if someone were to attempt to access these subdirectories
> > (i.e. they would receive a 403
> > Forbidden error message. Unfortunately this is not quite acceptable
> > to the IBM Rational AppScan utility which recommends that a 404
> > Not found error should be issued.
> I suspect you're misreading your AppScan.

That is a good possibility.

> It's warning about potentially exposing your filesystem information.

Most probably.

> But there's nothing secret about a directory containing a web-facing
> application!

That may be the case but their recommendation is still: Issue a "404 -
Not Found" response status code for a forbidden resource, or remove it

> Having said that, rtfm ErrorDocument for one way to do what you ask,
> if it's for some ignorant PHB's box-ticking exercise.

Colour me stupid but as far as I can tell ErrorDocument only provides
for the replacement of the text of a message. I can not see how it can
be used to force a 404 instead of a 403.

Thanks for your response anyway.

Regards, Hugh

Hugh E Cruickshank, Forward Software, 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message