Admin site should authenticate before 404ing, to prevent detection of valid pages
|Reported by:||anonymous||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This is a very trivial issue so feel free to ignore it, but:
It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.
Would it be better to authenticate all requests, even if they result in a 404?
I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.
Change History (7)
comment:3 Changed 8 years ago by
|Summary:||Authenticate before 404 → Admin site should authenticate before 404ing, to prevent detection of valid pages|
|Triage Stage:||Unreviewed → Accepted|