-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0402
"Possible SCM repository being served (maybe protected?) at: ${url}"
In the message output the variable ${url} is replaced by the URL of the SCM data file.
To use an SCM (source control management or version control) system to manage the web pages is a good solution. But the web server should not publish the internal website management data.
The web server sends not the content of the file but an error message "403 Forbidden". With this information a possible attacker knows that the file exists on the server. The attacker gets the information which SCM system is used.
It is good to prevent serving the SCM data files. A better protection is to hide the existence of the SCM data files.
Current (August 2020) the twa script checks: '.git/HEAD', '.hg/store/00manifest.i' and '.svn/entries'.
Configure the web server to not publish the management data files. The web server should respond with "404 Not Found" or with a redirection to a standard error page.
There exists several configuration options to suppress all dot-files, dot-files on a blacklist or dot-files not on white list. Search the web for examples.