[TYPO3-core] Moving files to a docs-subdir / .htaccess for "security" / nginx-configuration
Jigal van Hemert
jigal.van.hemert at typo3.org
Sun Mar 9 16:55:26 CET 2014
Hi,
On 9-3-2014 16:33, Stefan Neufeind wrote:
> some default-setups of Apache. The argument was that hiding ChangeLog
> (easily exposing a version-number) might make sense as to at least not
> easily expose the TYPO3-version. Of course there are other ways to
> determine the rough or maybe even exact version-number.
Security by obscurity usually isn't effective. Any malicious visitor is
surely not going to check the changelog for the version number and after
that applying any exploits they have for that version.
They simply try a load of exploits (or tests for exploits) and see if
they can get in.
> So how do you
> * think about a docs-directory
+1 To move as much as possible from the root (only a readme pointing to
the location of the documentation)
> * the .htaccess-"security"
Fine, doesn't add much security here, but at least some audit might
complain a bit less about information disclosure.
> * the nginx-configuration (to be provided with a separate review shortly
> then)
Sure, why not? We already have hints and clues for all kinds of
situations and already ship configuration for apache.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list