Should access to web.config at http be prohibited?



  • Should we prohibit access to reading the web.config through getting a request or not?

    location ~ web\.config$ {
        deny all;
    }
    


  • Access must, of course, be prohibited. There's a OD password and secret keys to OAuth. ♪

    But by default access to this file, it's not, so if nothing's broken, you don't have to ban it separately.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2