taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit ceaccf20d8e4ba8e64fda43cc40d9bd873f81633
parent ba209bbe9fb8d5b0017548443d0d68b70adc1016
Author: Thien-Thi Nguyen <ttn@gnuvola.org>
Date:   Wed, 11 Aug 2021 09:16:04 -0400

factor status-code-remapping text into new subsection "Status code remapping"

- Add front para re instance existence leak and its usefulness.
- Move status code names from 2nd para to 1st.

Diffstat:

Mtaler-merchant-manual.rst | 42+++++++++++++++++++++++++-----------------


1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst
@@ -926,14 +926,6 @@ have TLS configured.  Leave out the last line if your Nginx reverse proxy does
 not have HTTPS enabled.  Make sure to restart the ``taler-merchant-httpd``
 process after changing the ``SERVE`` configuration.
 
-For higher security (by leaking less information), you can add to the configuration:
-
-.. code-block:: nginx
-
-      error_page 404 =403 /empty.gif;
-
-This remaps all 404 response codes (Not found) to 403 (Forbidden).
-
 Apache
 ^^^^^^
 
@@ -960,15 +952,6 @@ Note that the above again assumes your domain name is ``example.com`` and that
 you have TLS configured.  Note that you must add the ``https`` header unless
 your site is not available via TLS.
 
-For higher security (by leaking less information), you can add to the configuration:
-
-.. code-block:: apacheconf
-
-       cond %{STATUS} =404
-       set-status 403
-
-This remaps all 404 response codes (Not found) to 403 (Forbidden).
-
 The above configurations are both incomplete. You must still additionally
 set up access control!
 
@@ -1120,6 +1103,31 @@ restrict access to the internal API to authorized clients.
 System administrators are strongly advised to test their access control
 setup before going into production!
 
+Status code remapping
+---------------------
+
+Normal API usage leaks instance existence information.
+Distinguishing between 404 (Not found) and 403 (Forbidden)
+is useful for diagnostics.
+
+For higher security (by leaking less information),
+you can add the following fragment,
+which remaps all 404 response codes to 403.
+
+Nginx
+^^^^^
+
+.. code-block:: nginx
+
+      error_page 404 =403 /empty.gif;
+
+Apache
+^^^^^^
+.. code-block:: apacheconf
+
+       cond %{STATUS} =404
+       set-status 403
+
 
 Customization
 =============