Hi Sheryl, Thanks for your reply.
I'm not sure how can I give users a better solution as they need .htaccess files on their webroot. Regards, James On Thu, Jul 8, 2010 at 11:42 PM, Sheryl <[email protected]> wrote: > > Hi All, > > > > I would like to hear your idea's of what are the pros and cons if I will > > set > > a specific directive-type for AllowOverride like AuthConfig, > > FileInfo,Indexes, Limit, and Options? > > Most security guidelines say no to Indexes. It's tolerable to do allow > overrides an most things for a development box for developer convenience, > but by the time a site gets to production (particularly outside-facing) > pretty much anything worked out in .htaccess should be rolled into the > httpd.conf. > > > I am just concern about security matters that will produce if I will give > > the user full access on .htaccess (AllowOverride All) on their webroot? > > I would resist, or at minimum get support for not allowing it in QA and > production. Something you can use for support is the CISecurity Apache > Benchmark. It's downloadable for free from cisecurity.org. I just took a > quick look and they recommend "AllowOverride None". > > Sheryl > > > > > Thanks. > > James > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [email protected] > " from the digest: [email protected] > For additional commands, e-mail: [email protected] > >
