On Wed, Mar 18, 2015 at 7:40 PM, Warren Young <[email protected]> wrote:
> On Mar 18, 2015, at 9:07 AM, Yitzchak Scott-Thoennes <[email protected]> > wrote: > > > > On Wed, Mar 18, 2015 at 7:55 AM, Warren Young <[email protected]> wrote: > >> On Mar 16, 2015, at 11:58 PM, Gabor Szabo <[email protected]> wrote: > >>> Actually I think I know what I'd like, regardless the defaults: I'd > like the default configuration files to contain commented out entries for > every (or every important) parameter with short explanation and/or with > link to the longer explanation. > >> > >> So you want roadblocks. You want the dancer helper app to generate an > app that won’t run at all until you go in and hack on some configuration > files. Do I have that right? > > > > No, you don't. Read it again? > > Yes, I know what it says. I also know what he asked for originally, and > what the title of this thread is. > > I don’t see how it makes Dancer more secure to point users to the docs > from a configuration file when those docs are already present. The only > way a configuration file change can make Dancer more secure is to either > bind to localhost, or turn off the listener entirely, in order to force > users to RTFM before they can get a new Dancer app to do what they almost > certainly actually want. > > Regardless, the claim that Dancer is “insecure” by default has yet to be > demonstrated. Show me an attack on a default Dancer app, and we can talk > about it. Simply pointing out that it listens on a public IP is not a > demonstration of insecurity. > > The title of this message probably should have been a question or phrased in some other way, but the suggestion to have commented out configuration options? How would these entries in the configuration file constitute a roadblock? # Enable the following line to limit the server to only listen to localhost: # server: "127.0.0.1" # Enable the following line to turn on file-based session management: # session: "YAML" Gabor
_______________________________________________ dancer-users mailing list [email protected] http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
