Menu
Disregarding best practices, does using return 403 achieve the exact same effect as deny all;? From the docs:
Deny:
Denies access for the specified network or address.
Return:
Stops processing and returns the specified code to a client.
Does "denies access" mean the same as "stops processing and returns the specified code"? If not, what does "denies access" really mean?
290
deny all will have the same consequence but leaves the possibilities of slip-ups:
If you have auth_basic and/or allow in a parent block with a satisfy directive, requests satisfying those criteria(s) will have access in an inheriting block that at face value is denying access. This is of no concern if you don't use this feature.
The issue is illustrated in this answer, suggesting not using the satisfy+allow+deny at server{} level because of inheritance.
I've come to the conclusion a return 403 (or even a 404, as the rfc suggests for purposes of no information disclosure) is less error prone if I know the ressource should under no circumstances be accessed via http, even if "authorized" in a general context.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
