It would be useful to have a copy of the Apache configuration

[graingert]

It would be useful to have a copy of the Apache configuration

Eg so we could add pull requests for things like HSTS etc

[msporny]

I agree that we should add HSTS support to Apache. Done.

I'm a bit hesitant to upload the apache config file to github as it would be more information given to attackers (exactly where files are, what's enabled and what isn't, etc. I'm not a fan of security through obscurity, but placing the apache config under version control seems to have more downsides than upsides. I can't think of a very compelling reason to do so at the moment.

[perma-id]

I agree - we should not expose that file. now if there is a decent way to expose a file that is included.... I would be open to that. Not the basic settings but the extensions.

On Wed, May 22, 2013 at 12:33 PM, Manu Sporny [email protected]:

I agree that we should add HSTS support to Apache. Done.

I'm a bit hesitant to upload the apache config file to github as it would be more information given to attackers (exactly where files are, what's enabled and what isn't, etc. I'm not a fan of security through obscurity, but placing the apache config under version control seems to have more downsides than upsides. I can't think of a very compelling reason to do so at the moment.

— Reply to this email directly or view it on GitHubhttps://github.com/perma-id/w3id.org/issues/5#issuecomment-18294554 .

Shane P. McCarron Managing Director, Applied Testing and Technology, Inc.

[akuckartz]

I don't think that there is a huge difference between publishing configuration files on the one hand and source code of executables running on a server on the other hand. In both cases potential security issues become more visible.

[halindrome]

I agree with Manu - I would not expose all of the configuration.

[prototypo]

I appreciate the problem, but there /are/ known attack vectors when file paths are known. There is no compelling reason to risk it as far as I can see.