I've used this for traversal tests, but my experience is the false positive rate is very high. I ended up writing some rules to filter the test. https://github.com/wireghoul/dotdotpwn
My experience with deny in nginx is the url isn't hidden. That is I think a crawler will see the "secret" location. Can you set this up for the 444 code, that is no reply? Rethinking this, I suppose if the webserver has no traversal issues, I guess this would be secure. But it wouldn't surprise me if some bot looks for /secret.
On 19 May 2017 at 17:24, ohmykot <nginx-fo...@forum.nginx.org> wrote: Hi! |
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx