I'd like to change certain directories ( like /icons/) from 403 forbidden to 404 not found
I got security check and I have to fix the problems.
I operate the homepage via virtual machine (Ubuntu 16.04.3) by apache2 (Apache 2.4.18).
The security check said that accessing ~/icons/
, ~/icons/small/
, ~/javascript/
get respond status code 403 (Forbidden) and I have to change them to status code 404 (Not Found) for security.
So, I add in .htaccess
file
RedirectMatch 404 /icons/
RedirectMatch 404 /icons/small/
RedirectMatch 404 /javascript/
but it didn't work...
Acutally when I add
RedirectMatch 404 /intro/
then it works in ~/intro/
So, I think the /icons/
and /javascript/
are something different.
Does anybody know why and how to deal with it?
/icons/
is aliased to /usr/share/apache2/icons/
and I change to
RedirectMatch 404 /usr/share/apache2/icons/
but it also doesn't work....
apache2
add a comment |
I got security check and I have to fix the problems.
I operate the homepage via virtual machine (Ubuntu 16.04.3) by apache2 (Apache 2.4.18).
The security check said that accessing ~/icons/
, ~/icons/small/
, ~/javascript/
get respond status code 403 (Forbidden) and I have to change them to status code 404 (Not Found) for security.
So, I add in .htaccess
file
RedirectMatch 404 /icons/
RedirectMatch 404 /icons/small/
RedirectMatch 404 /javascript/
but it didn't work...
Acutally when I add
RedirectMatch 404 /intro/
then it works in ~/intro/
So, I think the /icons/
and /javascript/
are something different.
Does anybody know why and how to deal with it?
/icons/
is aliased to /usr/share/apache2/icons/
and I change to
RedirectMatch 404 /usr/share/apache2/icons/
but it also doesn't work....
apache2
add a comment |
I got security check and I have to fix the problems.
I operate the homepage via virtual machine (Ubuntu 16.04.3) by apache2 (Apache 2.4.18).
The security check said that accessing ~/icons/
, ~/icons/small/
, ~/javascript/
get respond status code 403 (Forbidden) and I have to change them to status code 404 (Not Found) for security.
So, I add in .htaccess
file
RedirectMatch 404 /icons/
RedirectMatch 404 /icons/small/
RedirectMatch 404 /javascript/
but it didn't work...
Acutally when I add
RedirectMatch 404 /intro/
then it works in ~/intro/
So, I think the /icons/
and /javascript/
are something different.
Does anybody know why and how to deal with it?
/icons/
is aliased to /usr/share/apache2/icons/
and I change to
RedirectMatch 404 /usr/share/apache2/icons/
but it also doesn't work....
apache2
I got security check and I have to fix the problems.
I operate the homepage via virtual machine (Ubuntu 16.04.3) by apache2 (Apache 2.4.18).
The security check said that accessing ~/icons/
, ~/icons/small/
, ~/javascript/
get respond status code 403 (Forbidden) and I have to change them to status code 404 (Not Found) for security.
So, I add in .htaccess
file
RedirectMatch 404 /icons/
RedirectMatch 404 /icons/small/
RedirectMatch 404 /javascript/
but it didn't work...
Acutally when I add
RedirectMatch 404 /intro/
then it works in ~/intro/
So, I think the /icons/
and /javascript/
are something different.
Does anybody know why and how to deal with it?
/icons/
is aliased to /usr/share/apache2/icons/
and I change to
RedirectMatch 404 /usr/share/apache2/icons/
but it also doesn't work....
apache2
apache2
edited Dec 30 '18 at 10:14
vidarlo
9,47352445
9,47352445
asked Dec 30 '18 at 9:11
dreamcacaodreamcacao
1
1
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
First of all, this is essentially cover your ass security. If you use any resources from /icons/
it will be fairly obvious that it is there, and a 404 will not change that. A 403 indicates that the server is correctly configured.
If you really want to do this, RedirectMatch
is the way to go.
RedirectMatch 404 ^/icons/$
will return 404 for example.com/icons/
, but not example.com/icons/foo.png
.
RedirectMatch 404 ^/icons/.*$
will return for example.com/icons/foo.png
(and any other file in icons) as well.
Note that if the resources in /icons/
are referenced directly in the output to the browser, this does not improve security in any way, as it's trivially evident that /icons
exists. If they are not referenced in the output, but merely used as input for scripts, you should consider moving them out of webroot.
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1105555%2fid-like-to-change-certain-directories-like-icons-from-403-forbidden-to-404%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First of all, this is essentially cover your ass security. If you use any resources from /icons/
it will be fairly obvious that it is there, and a 404 will not change that. A 403 indicates that the server is correctly configured.
If you really want to do this, RedirectMatch
is the way to go.
RedirectMatch 404 ^/icons/$
will return 404 for example.com/icons/
, but not example.com/icons/foo.png
.
RedirectMatch 404 ^/icons/.*$
will return for example.com/icons/foo.png
(and any other file in icons) as well.
Note that if the resources in /icons/
are referenced directly in the output to the browser, this does not improve security in any way, as it's trivially evident that /icons
exists. If they are not referenced in the output, but merely used as input for scripts, you should consider moving them out of webroot.
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
add a comment |
First of all, this is essentially cover your ass security. If you use any resources from /icons/
it will be fairly obvious that it is there, and a 404 will not change that. A 403 indicates that the server is correctly configured.
If you really want to do this, RedirectMatch
is the way to go.
RedirectMatch 404 ^/icons/$
will return 404 for example.com/icons/
, but not example.com/icons/foo.png
.
RedirectMatch 404 ^/icons/.*$
will return for example.com/icons/foo.png
(and any other file in icons) as well.
Note that if the resources in /icons/
are referenced directly in the output to the browser, this does not improve security in any way, as it's trivially evident that /icons
exists. If they are not referenced in the output, but merely used as input for scripts, you should consider moving them out of webroot.
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
add a comment |
First of all, this is essentially cover your ass security. If you use any resources from /icons/
it will be fairly obvious that it is there, and a 404 will not change that. A 403 indicates that the server is correctly configured.
If you really want to do this, RedirectMatch
is the way to go.
RedirectMatch 404 ^/icons/$
will return 404 for example.com/icons/
, but not example.com/icons/foo.png
.
RedirectMatch 404 ^/icons/.*$
will return for example.com/icons/foo.png
(and any other file in icons) as well.
Note that if the resources in /icons/
are referenced directly in the output to the browser, this does not improve security in any way, as it's trivially evident that /icons
exists. If they are not referenced in the output, but merely used as input for scripts, you should consider moving them out of webroot.
First of all, this is essentially cover your ass security. If you use any resources from /icons/
it will be fairly obvious that it is there, and a 404 will not change that. A 403 indicates that the server is correctly configured.
If you really want to do this, RedirectMatch
is the way to go.
RedirectMatch 404 ^/icons/$
will return 404 for example.com/icons/
, but not example.com/icons/foo.png
.
RedirectMatch 404 ^/icons/.*$
will return for example.com/icons/foo.png
(and any other file in icons) as well.
Note that if the resources in /icons/
are referenced directly in the output to the browser, this does not improve security in any way, as it's trivially evident that /icons
exists. If they are not referenced in the output, but merely used as input for scripts, you should consider moving them out of webroot.
answered Dec 30 '18 at 10:13
vidarlovidarlo
9,47352445
9,47352445
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
add a comment |
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Thanks a lot! I also think this is useless security check... Anyway, your solution doesn't work. I don't know but I think ~/icons/ and ~/javascript/ are something special.
– dreamcacao
Dec 31 '18 at 6:10
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
Is the URL example.com/~/icons?
– vidarlo
Dec 31 '18 at 11:00
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
No, the url is example.com/icons/ , example.com/icons/small/, example.com/javascript/ I'm sorry for late reply. I've got a cold....
– dreamcacao
Jan 4 at 1:19
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1105555%2fid-like-to-change-certain-directories-like-icons-from-403-forbidden-to-404%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown