> > Yes we are, while we are at it we can ship an http.conf file that wil > > only listen on port 8000 on localhost when the daemon comes up as > > well, and that would be super obscure as well, and it would only read > > index files ending in .HolyFuck, and we'd ship a mime types > > where HolyFuck was html, so people accidentally didn't put html files > > in there without changing the mime types, etc etc. etc. > > No, we are not. You're still talking about something else. > > Disabled Indexes: "Don't show the content of EVERY single folder" > = Security First = Default => OpenBSD > > Suggesting disabling it is one of the most common security tips of > Apache security articles/books, "20 ways to Secure your Apache Configuration", > "Ten tips for securing Apache", and so on and so forth.. > > When directory browsing is enabled, users that browse to a directory that > does not contain a default document are instead provided with a complete > list of the contents of that directory. > > Google can (and will) index directories you do NOT want indexed: > WordPress plugin dirs, your own custom web administration dirs, for instance. > > intitle:index.of "parent directory" - this query will return all web pages > where directory listing is enabled and contains the keywords parent directory. > > Oh, but someone will still need it ON after all those risks? > > It seems like it wouldn't be that hard; > > httpd.conf: > - Options FollowSymLinks > + Options Indexes FollowSymLinks > > (Just like how you 'httpd -u' when you don't like a jailed Apache. > It comes jailed/closed, you open it manually, if you wish)
That's a lot of words. The default configuration is not going to be changed in this way.
