[LUAU] apache security question
Jaymes Schooler
jimsch at ichgroup.com
Tue Feb 8 15:34:32 PST 2005
And Rightfully so...Being Paranoid that is... You may want to use
something a little stronger for authorization such as mysqlauth or
almost any other authentication Scheme/Module...Also you may want to
include nobots.txt in any directory you do not want a search engine to
probe.
-----Original Message-----
From: luau-bounces at lists.hosef.org [mailto:luau-bounces at lists.hosef.org]
On Behalf Of Tom Gordon
Sent: Tuesday, February 08, 2005 12:05 PM
To: LUAU
Subject: Re: [LUAU] apache security question
Charles Lockhart wrote:
> So, we have a script or something that every time you create a
> directory in that secure directory, the script adds an .htaccess file,
> and the .htaccess file is used to enforce privacy, requiring a
> username and password to log in. I'm told that this should be secure
> enough to keep people from accessing the private area, and to prevent
> information from turning up on Google + etc.
>
> So my question is, is that correct? I have no webmaster experience,
> and very limited privacy/security experience, so I'm not setting that
> up, our network admin is, but I figured I'd get a second (third,
> fourth, fifth...) opinion.
>
HTTP Auth should be enough for a wiki. I don't know anything about your
particular wiki, soconsider the flaw of HTTP Auth for yourself. The
session is handled entirely on the client-side (no specification for
"logging off"). And the authetication can be passed in the URI/REFERER
stings. A funky browser behavior could, in turn send this kind of info
to a foreign entity (google, etc). But I may just be paranoid.
Tom
_______________________________________________
LUAU at lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
More information about the LUAU
mailing list