Lucee docs url

dnando · February 13, 2015, 2:29pm

I’m having trouble finding the lucee docs url again. Could someone please
remind me what it is? Any reason it’s been excluded from the admin nav?

Thanks,

Nando

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

Michael_van_Leest · February 13, 2015, 3:10pm

/lucee/doc.cfm2015-02-13 15:29 GMT+01:00 Nando Breiter <@Nando_Breiter>:

I’m having trouble finding the lucee docs url again. Could someone please
remind me what it is? Any reason it’s been excluded from the admin nav?

Thanks,

Nando

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAGHrs%3D8QLkjOQVvxm%3DM7dJOSkiT9KLEnCAwU0QMzQOh9Rud4sg%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAGHrs%3D8QLkjOQVvxm%3DM7dJOSkiT9KLEnCAwU0QMzQOh9Rud4sg%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

–
Michael van Leest

Andrew_Penhorwood · February 14, 2015, 5:06pm

+1On Saturday, February 14, 2015 at 11:27:38 AM UTC-5, Micha wrote:

We could move the doc to a extension …

Peter_Boughton · February 14, 2015, 6:26pm

I think the convenience of having the docs available by default
outweighs the minor issue of telling a potential attacker which CFML
engine is being used.

Any malicious bot that might look for /lucee/doc.cfm can just as easily
look for /index.cfm to determine that a CFML engine is running, and
then try all the CFML-related exploits it has anyway (because nobody is
going to target just Lucee; they’ll go after them all.)

It can be excluded from search engines with a noindex meta tag, plus of
course a rel=“canonical” to point them at the official docs.

Andrew_Penhorwood · February 14, 2015, 7:51pm

I think Micha already talked about having some extensions installed by
default. So I think in that case we both win. A standard install would
include the docs extension. I can simple “uncheck” that option when I do
my install. Not that I do an install anyway since I use Jetty.

Have you ever installed Contentbox? It included items for the install then
gives you a UI to remove the install components after they are not needed.
It would be great if extensions worked like along those lines. Having
followed this project since it went open source I’m sure Micha as something
like that in mind.

Andrew Penhorwood.On Saturday, February 14, 2015 at 2:08:23 PM UTC-5, Peter Boughton wrote:

The point of the word “convenience” is to indicate that installing an
extension is several extra steps, which is exactly the sort of thing
that can be frustrating for a beginner. (Those being significant if not
primary users of the documentation.)

Having a pre-installed extension which can be removed by those that
don’t want it is convenient and preserves the security theatre for the
paranoid.

A better approach is probably for the installer to present a choice of
“developer mode” vs “hardened mode” which controls what is on/off by
default, since there are obviously other considerations here too.

micstriit · February 14, 2015, 4:27pm

We could move the doc to a extension …

MichaAm Freitag, 13. Februar 2015 schrieb ADK :

you could, but secure by default is the better route I think.

On Friday, February 13, 2015 at 11:20:10 AM UTC-8, Andrew Dixon wrote:

Just add a deny rule to your production web server so it can’t serve it.

Kind regards,

Andrew
Andrew Dixon - Tonbridge, United Kingdom, mso, University of Greenwich | about.me

On 13 February 2015 at 18:22, Andrew Penhorwood penho...@gmail.com wrote:

Just put a link that opens a new tab / window. Since were on the
subject can we turn that off so we don’t have sites that show
documentation? I can see a bot now that will go through sites look for the
doc link to know that it is a Lucee site.

Andrew Penhorwood

On Friday, February 13, 2015 at 12:49:51 PM UTC-5, Micha wrote:

It was excluded so no password is necessary to reach it

Micha

Am Freitag, 13. Februar 2015 schrieb Nando Breiter :

I’m having trouble finding the lucee docs url again. Could someone
please remind me what it is? Any reason it’s been excluded from the admin
nav?

–
You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/
msgid/lucee/8218bb32-5119-4c43-a9e3-4ece7810f6f4%40googlegroups.com
https://groups.google.com/d/msgid/lucee/8218bb32-5119-4c43-a9e3-4ece7810f6f4%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/cc0702b0-01ac-451f-beeb-a1da4ec721ce%40googlegroups.com
https://groups.google.com/d/msgid/lucee/cc0702b0-01ac-451f-beeb-a1da4ec721ce%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Peter_Boughton · February 14, 2015, 7:08pm

The point of the word “convenience” is to indicate that installing an
extension is several extra steps, which is exactly the sort of thing
that can be frustrating for a beginner. (Those being significant if not
primary users of the documentation.)

Having a pre-installed extension which can be removed by those that
don’t want it is convenient and preserves the security theatre for the
paranoid.

A better approach is probably for the installer to present a choice of
“developer mode” vs “hardened mode” which controls what is on/off by
default, since there are obviously other considerations here too.

Michael_Vornkahl · February 14, 2015, 1:47pm

+1

Michael

Andrew_Penhorwood · February 14, 2015, 6:42pm

The point of having the docs in an extension is those who want them can
have them. Nothing prevents you from installing it.

Andrew PenhorwoodOn Saturday, February 14, 2015 at 1:26:17 PM UTC-5, Peter Boughton wrote:

I think the convenience of having the docs available by default
outweighs the minor issue of telling a potential attacker which CFML
engine is being used.

Any malicious bot that might look for /lucee/doc.cfm can just as easily
look for /index.cfm to determine that a CFML engine is running, and
then try all the CFML-related exploits it has anyway (because nobody is
going to target just Lucee; they’ll go after them all.)

It can be excluded from search engines with a noindex meta tag, plus of
course a rel=“canonical” to point them at the official docs.