[WEB SECURITY] apache issue

Ivan Ristic ivan.ristic at gmail.com
Tue Jun 7 13:46:20 EDT 2005


> <Limit GET>
>    order deny,allow
>    deny from all
> </Limit>

This will only reject GET and HEAD requests (HEAD is always implied
when GET is used), allowing all other request methods to proceed. For
example, "GET /index.php HTTP/1.0" would not be allowed, but "POST
/index.php HTTP/1.0" would. Even "XYZ /index.php HTTP/1.0" works in my
tests. Omitting the <Limit> container is better because the
restrictions are applied to all request methods equally.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list