>I can't see what this security issue has to do with SE > friendly URLs, please explain?
To make SES urls work (i.e. foo.cfm/parm/value) you have to shut OFF the setting for "verify that pages exist" in IIS. If you do that, you open yourself up to the exploit described at Bugtraq, where certain types of requests will reveal the true web root on the server. For that reason, MM issued the warning they did, copied at the BugTraq site. The warning said "don't do that" which more or less killed that widely used technique, unless you have a site-wide error handler that handles CF 404's, in which case you're safe. However I *think* the SW errhandler only protected you pre-mx. my memory is way hazy on this point and may be dead wrong. ------------------------------------------- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- ---------- Original Message ---------------------------------- From: "Taco Fleur" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 9 Jul 2003 06:59:55 +1000 > >-----Original Message----- >From: Matt Robertson [mailto:[EMAIL PROTECTED] >Sent: Wednesday, 9 July 2003 6:35 AM >To: CF-Talk >Subject: Re: Search Engine Optimization > > >Is there any benefit whatsoever to the first point (parsing other >extensions thru CF)? > >I can believe it might have been true in the past but I've never had a >problem getting CF pages indexed. I thought it was the parameters that >*might* get you; not the page extension. Anyone with recent experience >to the contrary? > >I'd add that you should publish to static HTML wherever possible (which >may be the bulk of the pages on many sites). I do it because I'm greedy >about conserving server resources, but I sell it to clients by telling >them the links are more SE-friendly. > >Of course you can always do the old blah.cfm/parm/value bit, but that >opened up a security hole in CF. > >http://www.securityfocus.com/advisories/4110 > >I use it on 4.5 cuz I have a site-wide error handler, whose special >handling of 404's supposedly makes the technique safe to use. > >Did this ever get patched in one of the MX updaters? > >------------------------------------------- > Matt Robertson, [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com >------------------------------------------- > > >---------- Original Message ---------------------------------- >From: Gyrus <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Date: Tue, 08 Jul 2003 21:07:01 +0100 > >>At 15:37 08/07/2003 -0400, you wrote: >>>There was a thread on this list recently about Search Engine >>>Optimization for CF sites. Just so happens SEO has become an issue for > >>>me on a freelance project, and I want to start a list of best >>>practices I can work into my development processes. Thus far, I have >>>three items: >>> >>>1) Configure the server to run other file extensions through the CF >>>parser (i.e. HTM, HTML) in order to avoid being ignored >>>2) Use meta description and meta keyword tags to indicate content on >>>the site >>>3) Use search engine safe links instead of passing CGI parameters >> >>Making sure the crawler bots index your pages is obviously the best >>first >>step... Bear in mind that Googlebot and others can index dynamic pages, >but >>only if they're linked to from static pages (i.e. ones with a "?" in >the >>URL). But then special pages of links for crawlers are only a last >resort, >>and using some sort of other site-wide technique (slash-delimited query > >>strings, or getting your CMS to write out flat HTML files) is >preferrable. >> >>But as far as actual optimisation goes, the following rules are >>important >>in today's Google-centric web (more than META keywords and description, > >>though I always use these anyway, for their potential value for things >>other than Google): >> >>- Put keywords in the TITLE tag of your page. I used to avoid this cos >>I >>sympathise with people bookmarking things and having to change the >title to >>something short and useful in your browser. But then, if no one finds >your >>page, how can they bookmark it? ;-) I go for a reasonable phrase-like >>string like "Cheap Banana Imports for UK Retail, from XYZ corp" - >instead >>of "XYZ corp - Home" (which is nicer for bookmarking, but useless for >>search engines). >> >>- Use structural XHTML markup wherever possible. Make sure the H1 tag >>contains keywords relevant to the page's topic (without rendering it >silly >>as a human-readable main title of course). Pages with keywords in the >>TITLE, H1, and body text near the top of the page get higher rankings >than >>those that don't. >> >>- If possible, use table-less CSS layouts. Then you can shove your H1 >>and >>main content right at the top of the markup, even if in the layout it >comes >>underneath loads of navigation and banners and whatnot. These can be >shoved >>at the bottom of the code, but positioned at the top using CSS >positioning. >>Obviously in tables, you're often forced to have your left-hand side >nav as >>well as your top nav above the content in your markup. This means lower > >>rankings. >> >>These aren't set in stone, but they've got me some pretty good rankings > >>so far. >> >>HTH, >> >>Gyrus >>[EMAIL PROTECTED] >>play: http://norlonto.net/ >>work: http://tengai.co.uk/ >>PGP key available >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
