Nginx and locking down your WEB-INF folder


I was working on some URL rewriting rules on my server this evening when I was taking a break at work. Just out of curiosity I tried hitting some of the files that are available in the WEB-INF directory and was surprised to find out that I could easily view all my context logs and anything that was not a ColdFusion template. In retrospect, I should not have been surprised but I should have taken steps to prevent that from ever happening.

I have a drop.conf file that gets loaded on every site so blocking directory access on all my sites was just a matter of adding the directive to block access to the directory and restarting nginx.

In hindsight, I should have checked that a long time ago. Hopefully someone will learn from my mistake.

Advertisements

One thought on “Nginx and locking down your WEB-INF folder

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s