I think the convenience of having the docs available by default
outweighs the minor issue of telling a potential attacker which CFML
engine is being used.
Any malicious bot that might look for /lucee/doc.cfm can just as easily
look for /index.cfm to determine that a CFML engine is running, and
then try all the CFML-related exploits it has anyway (because nobody is
going to target just Lucee; they’ll go after them all.)
It can be excluded from search engines with a noindex meta tag, plus of
course a rel=“canonical” to point them at the official docs.
I think Micha already talked about having some extensions installed by
default. So I think in that case we both win. A standard install would
include the docs extension. I can simple “uncheck” that option when I do
my install. Not that I do an install anyway since I use Jetty.
Have you ever installed Contentbox? It included items for the install then
gives you a UI to remove the install components after they are not needed.
It would be great if extensions worked like along those lines. Having
followed this project since it went open source I’m sure Micha as something
like that in mind.
Andrew Penhorwood.On Saturday, February 14, 2015 at 2:08:23 PM UTC-5, Peter Boughton wrote:
The point of the word “convenience” is to indicate that installing an
extension is several extra steps, which is exactly the sort of thing
that can be frustrating for a beginner. (Those being significant if not
primary users of the documentation.)
Having a pre-installed extension which can be removed by those that
don’t want it is convenient and preserves the security theatre for the
paranoid.
A better approach is probably for the installer to present a choice of
“developer mode” vs “hardened mode” which controls what is on/off by
default, since there are obviously other considerations here too.
On 13 February 2015 at 18:22, Andrew Penhorwood penho...@gmail.com wrote:
Just put a link that opens a new tab / window. Since were on the
subject can we turn that off so we don’t have sites that show
documentation? I can see a bot now that will go through sites look for the
doc link to know that it is a Lucee site.
Andrew Penhorwood
On Friday, February 13, 2015 at 12:49:51 PM UTC-5, Micha wrote:
It was excluded so no password is necessary to reach it
Micha
Am Freitag, 13. Februar 2015 schrieb Nando Breiter :
I’m having trouble finding the lucee docs url again. Could someone
please remind me what it is? Any reason it’s been excluded from the admin
nav?
The point of the word “convenience” is to indicate that installing an
extension is several extra steps, which is exactly the sort of thing
that can be frustrating for a beginner. (Those being significant if not
primary users of the documentation.)
Having a pre-installed extension which can be removed by those that
don’t want it is convenient and preserves the security theatre for the
paranoid.
A better approach is probably for the installer to present a choice of
“developer mode” vs “hardened mode” which controls what is on/off by
default, since there are obviously other considerations here too.
The point of having the docs in an extension is those who want them can
have them. Nothing prevents you from installing it.
Andrew PenhorwoodOn Saturday, February 14, 2015 at 1:26:17 PM UTC-5, Peter Boughton wrote:
I think the convenience of having the docs available by default
outweighs the minor issue of telling a potential attacker which CFML
engine is being used.
Any malicious bot that might look for /lucee/doc.cfm can just as easily
look for /index.cfm to determine that a CFML engine is running, and
then try all the CFML-related exploits it has anyway (because nobody is
going to target just Lucee; they’ll go after them all.)
It can be excluded from search engines with a noindex meta tag, plus of
course a rel=“canonical” to point them at the official docs.