OWASP standards vs. Radicore Framework [message #120] |
Thu, 29 June 2006 11:32 |
andy
Messages: 7 Registered: June 2006 Location: Reno, NV, USA
|
Junior Member |
|
|
Greetings,
Finally I have the opportunity to review this full release of the Marston web framework. I've been busy working with Python the last few months, giving me a new perspective on things .
Q: Recently I was taken to task for using extensions such as ".inc" rather than standard ".php". The problem, related to OWASP security recommendations for php applications, is that if your server is not configured correctly then .inc files will dump as plain text to the browser. This is a potential security hole. The premise of OWASP philosophy, for background here, is that one should never trust a server configuration. Being that web application code can be deployed on any server, many of which will be hosted and of course the developer may very likely have no influence on server (Apache) configuration settings.
Wondering why this framework code still uses the ".inc" extension?
Shouldn't the OWASP recommendation be heeded?
|
|
|