It would be useful to have a copy of the Apache configuration about w3id.org HOT 5 OPEN

I agree that we should add HSTS support to Apache. Done.

I'm a bit hesitant to upload the apache config file to github as it would be more information given to attackers (exactly where files are, what's enabled and what isn't, etc. I'm not a fan of security through obscurity, but placing the apache config under version control seems to have more downsides than upsides. I can't think of a very compelling reason to do so at the moment.

from w3id.org.

I agree - we should not expose that file. now if there is a decent way to
expose a file that is included.... I would be open to that. Not the basic
settings but the extensions.

On Wed, May 22, 2013 at 12:33 PM, Manu Sporny [email protected]:

I agree that we should add HSTS support to Apache. Done.

I'm a bit hesitant to upload the apache config file to github as it would
be more information given to attackers (exactly where files are, what's
enabled and what isn't, etc. I'm not a fan of security through obscurity,
but placing the apache config under version control seems to have more
downsides than upsides. I can't think of a very compelling reason to do so
at the moment.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/5#issuecomment-18294554
.

Shane P. McCarron
Managing Director, Applied Testing and Technology, Inc.

from w3id.org.

I don't think that there is a huge difference between publishing configuration files on the one hand and source code of executables running on a server on the other hand. In both cases potential security issues become more visible.

from w3id.org.

I agree with Manu - I would not expose all of the configuration.

from w3id.org.

I appreciate the problem, but there /are/ known attack vectors when file paths are known. There is no compelling reason to risk it as far as I can see.

from w3id.org.