[dokuwiki] Re: Dokuwiki http headers...
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Sat, 23 Oct 2010 10:05:21 +0200
> I agree that while hiding the content (restricting access to the content)
> isn't the same as hiding the page exists, there are times where the page
> title (the url) can be just as interesting to someone as the content.
>
> Hiding the page is a way to reduce/eliminate the traffic analysis that a
> potential attacker can do.
We had this discussion multiple times. This is simply not what
DokuWiki is intended for. The information if a page exists is "leaked"
at several places in DokuWiki (link colors, status code, error
messages, probably more). If firstheading is enabled, even the title
of the page is given away. If you have content where the pure
knowledge that it exists is an information leak already, don't put it
in the wiki. It does not belong there.
If the HTTP code for access denied is correct, is debatable. But we do
send 200 Headers for non existing pages by default as well. So if you
enable send404, it might be sensible to send a 403 for access denied
cases.
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
