On 24/02/2012 11:52 a.m., Roman Gelfand wrote:
> Hi Amos,
>
> I could be wrong, but I understood from your several posts that this
> type of configuration is not recommended (either due to security
> issues or performance, I don't remember exactly).
>
> Is that right?
*redirect*, (using deny_info or redirector program which does real 3XX
status redirects) is fine and a built-in feature of HTTP. Since what it
does is inform the client browser/agent to change the URI being
requested. Keeping any state between the server and client synchronized.
Security, behaviour expectations and working state is all kept predictable.
*rewrite*, (using a redirector/rewriter to alter the URL in-transit) is
not recommended on grounds of being complex with many breakages from the
client browser/agent being unaware of the URL change. re-write is at
heart a cross-site/XSS attack, in the same ways that intercept proxy is
a MITM attack. Intending for it to happen does not change the side
effects or lessen the risks.
Amos
Received on Fri Feb 24 2012 - 10:24:17 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 24 2012 - 12:00:05 MST