does disabling this option /really/ improve security?
On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley <b...@16systems.com> wrote: > When ran against default OpenBSD servers that have Apache enabled, > vulnerability assessment software (Nessus, Rapid7, etc.) complain about > "browesable web directories". The concern is that someone may > accidentally place inappropriate files in the web directories that will > then be visible to others. Would it be a good idea to remove the Indexes > option from httpd.conf? Admins may enable the option later if they like: > > # cvs diff -Nup httpd.conf > Index: httpd.conf > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v > retrieving revision 1.26 > diff -N -u -p httpd.conf > --- httpd.conf 3 Jun 2009 18:28:21 -0000 1.26 > +++ httpd.conf 12 Mar 2010 17:39:06 -0000 > @@ -396,7 +396,7 @@ DocumentRoot "/var/www/htdocs" > # Note that "MultiViews" must be named *explicitly* --- "Options All" > # doesn't give it to you. > # > - Options Indexes FollowSymLinks > + Options FollowSymLinks > > # > # This controls which options the .htaccess files in directories can > @@ -601,7 +601,7 @@ CustomLog logs/access_log common > Alias /icons/ "/var/www/icons/" > > <Directory "/var/www/icons"> > - Options Indexes MultiViews > + Options MultiViews > AllowOverride None > Order allow,deny > Allow from all
