Re: [CFCDev] Mach-ii config file

Wed, 04 Feb 2004 05:10:04 -0800 

You move the application out of the web-root (just keep the index.cfm and
the basic things there). You can also use your web-server's built in
functionality to block access to these things, like: permissions on IIS, or
.htaccess (perhaps deny everything except index.cfm).

I wouldn't expose that to every user: that would give a very good insight
into your business logic!


-------------------------------------------------------------
Hugo Ahlenius                  E-Mail: [EMAIL PROTECTED]
Project Officer                Phone:            +46 8 230460
UNEP GRID-Arendal              Fax:              +46 8 230441
Stockholm Office               Mobile:         +46 733 467111
                               WWW:       http://www.grida.no
-------------------------------------------------------------


---- Original Message ----
From: "Douglas Humphris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 04, 2004 12:25
Subject: [CFCDev] Mach-ii config file

| I'm surprised that the Mach-II skeleton framework has the main
| Mach-II.xml config file in the webroot so that anyone can browse
| directly to /config/mach-ii.xml and read all your events etc. I just
| feel uncomfortable with exposing the inners of my application, so I've
| moved my config file up one level to hide it.
|
| I'm not a security/hacker expert, so was just wondering if anyone can
| say whether I'm worrying about nothing? On the flip side, when I was
| learning Mach-ii a few weeks ago, I found it useful to look up other
| live mach-ii.xml files and see what others are doing.
|
| Douglas
|
| ----------------------------------------------------------
| You are subscribed to cfcdev. To unsubscribe, send an email
| to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev'
| in the message of the email.
|
| CFCDev is run by CFCZone (www.cfczone.org) and supported
| by Mindtool, Corporation (www.mindtool.com).
|
| An archive of the CFCDev list is available at
| www.mail-archive.com/[EMAIL PROTECTED]

----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email
to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' 
in the message of the email.

CFCDev is run by CFCZone (www.cfczone.org) and supported
by Mindtool, Corporation (www.mindtool.com).

An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]

Reply via email to