Hello,
error 403 means that the location exists and access is not allowed while
404 means that the location does not exist.
Based on this, with mostly default settings, it is (in theory) possible
to determine the directory structure below the document root via
guessing or dictionary attack. This may or may not be considered a
security risk (what do you think?).
I know that there are ways to make nginx return 404 for specific
locations, including directories. In am wondering, however, if there is
a neat approach making nginx return 404 generally for each directory that
- has not explicitly enabled autoindex and
- contains no 'index' file (HttpIndexModule)
Thanks,
Jan-Philip
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx