Krokodilcsirke
csütörtök, január 08, 2004
 
mod_rewrite and security
The security risks associated with mod_rewrite are not particularly high - certainly no more risky than having a site which uses only basic password authorization.

If you do not allow anonymous FTP access to your site, I would not worry about mod_rewrite, or any other Apache module. In order to be a risk, your .htaccess, .passwd, and cgi files have to be FTP-writable; Disallowing non-password-protected uploads of these files provides a reasonable level of security. Since HTTP can't do file writes, and FTP is protected, this usually leaves only "inside jobs" - access to your site from within the server itself - as the only open door. Hopefully, your host does a good job of preventing that from their end, and the scripts you use are well-written to prevent unauthorized use of any scripts that might have unlimited file-writing capability.

In addition, using mod_rewrite and mod_access allows you to put in place mechanisms to stop random probing of your site's resources, which adds to the security of the site.

So, why do hosting companies and IT departments prefer to disable mod_rewrite? Because it is powerful, and one little typo can take a site down with 500 server errors. A slight design error can scramble-up your URLs, leading to an unusable site until the rewrite rules are corrected. So, hosting companies and IT departments cut costs by not supporting it. Either they disable it completely, or they say, "You're on your own if you use it."

I'm not quite sure why people find it so daunting - the documentation is on-line, and is relatively short and concise. But hosting companies and IT departments are under a lot of cost-reduction pressure, so I guess developing any kind of support expertise is out of the question for most of them.
 
Comments: Megjegyzés küldése

<< Home
Solutions are not the answer!

ARCHIVES
január 2003 / február 2003 / március 2003 / április 2003 / május 2003 / június 2003 / július 2003 / augusztus 2003 / szeptember 2003 / október 2003 / november 2003 / december 2003 / január 2004 / február 2004 / március 2004 / április 2004 / május 2004 / június 2004 / július 2004 / augusztus 2004 / szeptember 2004 / október 2004 / november 2004 / január 2005 / február 2005 / május 2005 / augusztus 2005 / szeptember 2005 /


Powered by Blogger