Admin site should authenticate before 404ing, to prevent detection of valid pages
|Reported by:||anonymous||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This is a very trivial issue so feel free to ignore it, but:
It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.
Would it be better to authenticate all requests, even if they result in a 404?
I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.
Change History (7)
comment:1 Changed 6 years ago by anonymous
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 6 years ago by adrian
- Summary changed from Authenticate before 404 to Admin site should authenticate before 404ing, to prevent detection of valid pages
- Triage Stage changed from Unreviewed to Accepted