I ran across this website today: http://www.0x000000.com/?i=558
He's got an htaccess file that he claims "protects you from nearly every webapplication attack there is." I know almost nothing about htaccess rules and whatnot, but that claim seems superfluous. Could one of you look at his code and explain if his claim is actually justified?
Using htaccess for security purposes?
Moderator: General Moderators
Re: Using htaccess for security purposes?
what about if you learn how to code .HTACCESS so you will know.. it's worth the knowledge..
Re: Using htaccess for security purposes?
As with every application firewall, you need to worry about two things - false positives and false negatives.
Imagine a forum about SQL - noone would be able to talk about selects, unions and whatnot, because the .htaccess will stop them.
Imagine a forum about polar bears though - it's more unlikely that polar bear researchers have unions, or that they muse over what type of hamburger to select for breakfast.
Also, there are surely ways around these rules, especially if the admin applying the .htaccess is forced to change some of them (did you notice that the SQL-related list has select, insert and update, but not delete
) The good thing is that "some" security is better than "no" security, so for some people and applications it may be the difference between being defaced by script kiddies and not.
Imagine a forum about SQL - noone would be able to talk about selects, unions and whatnot, because the .htaccess will stop them.
Imagine a forum about polar bears though - it's more unlikely that polar bear researchers have unions, or that they muse over what type of hamburger to select for breakfast.
Also, there are surely ways around these rules, especially if the admin applying the .htaccess is forced to change some of them (did you notice that the SQL-related list has select, insert and update, but not delete