Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
litespeed:wiki:feature:internal_redirect [2012/10/22 17:28] 127.0.0.1 external edit |
litespeed:wiki:feature:internal_redirect [2015/07/24 16:03] Michael Alegre removed |
||
---|---|---|---|
Line 51: | Line 51: | ||
=== Security Consideration === | === Security Consideration === | ||
- | Unlike X-Sendfile or X-Accel-Redirect implementation in other web servers, LiteSpeed uses a URL instead of file path for security reasons. In this way, only file under document root of a virtual host or a Context can be returned, otherwise, it could be a huge security issue if for some reason, either tricked or intentionally, the script sent back a header "X-Sendfile: /../etc/./passwrd%00" or something like that, user accounts on your server is no longer a secret. 8-) | + | Unlike X-Sendfile or X-Accel-Redirect implementation in other web servers, LiteSpeed uses a URL instead of file path for security reasons. In this way, only file under document root of a virtual host or a Context can be returned, otherwise, it could be a huge security issue if for some reason, either tricked or intentionally, the script sent back a header "X-Sendfile: /../etc/./passwd%00" or something like that, user accounts on your server is no longer a secret. 8-) |
=== Protecting file from direct access === | === Protecting file from direct access === |