LinkBack URL
About LinkBacksI have been told that CPanel® recommends Apache FileETags directive is set to None for PCI compliance. Can you please tell me the reasoning behind this interpretation of the standard.
PCI compliance and FileETags
I have been told that CPanel® recommends Apache FileETags directive is set to None for PCI compliance. Can you please tell me the reasoning behind this interpretation of the standard.
Pci Companies
Some pci companies want the FileETags set to none. This is more security through obscurity than actual protecting the server in my mind but it is generally easier to just disable it then argue with the pci company every time. While not every pci company looks for this, none of them are going to complain if it is set to none.
This is not even security through obscurity. What exactly is is disclosed by settingOriginally Posted by sirdopes
The last modification date and the size. Totally absurd as those are two fields sent by server anyway as response headers Last-Modified and Content-Length.Code:FileETag MTime Size
Even when INode is used to generate the tag, a sweeping fail is a fundamental misunderstanding of an old and no longer relevant issue [1, 2, 3].
I am with you there. Still, someone should point out their incompetence if they don't even understand what they are certifying. Monkey see, monkey do.
[1] Apache HTTP Server MIME message boundaries information disclosure
[2] Apache Web Server ETag Header Information Disclosure Weakness
[3] Apache ETag Inode Information Leakage
Reply With Quote