HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Improve Vanilla Security by Default - Deny Viewing the Cache
mtschirs
✭✭✭
I would suggest to make vulnerability discovery in Vanilla harder by removing web access to the cache directory (or relevant parts of it). E.g. http://vanillaforums.org/cache/p_core_library_map.ini
I suggest adding some rules to the .htaccess file that comes 'preinstalled' with Vanilla.
4
Comments
I'd be fine with making that addition to the htaccess file.
Also a great opportunity to start an official nginx config page in the docs so this can be noted for non-Apache users to set up on their own.
x00 posted his nginx config here:
http://vanillaforums.org/discussion/comment/227015/#Comment_227015
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
General rules for nginx are at best guidance. Server config is a specific art.
grep is your friend.