Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » RADICORE development » Framework » OWASP standards vs. Radicore Framework
OWASP standards vs. Radicore Framework [message #120] Thu, 29 June 2006 11:32 Go to previous message
andy is currently offline  andy
Messages: 7
Registered: June 2006
Location: Reno, NV, USA
Junior Member
Greetings,

Finally I have the opportunity to review this full release of the Marston web framework. I've been busy working with Python the last few months, giving me a new perspective on things Shocked .

Q: Recently I was taken to task for using extensions such as ".inc" rather than standard ".php". The problem, related to OWASP security recommendations for php applications, is that if your server is not configured correctly then .inc files will dump as plain text to the browser. This is a potential security hole. The premise of OWASP philosophy, for background here, is that one should never trust a server configuration. Being that web application code can be deployed on any server, many of which will be hosted and of course the developer may very likely have no influence on server (Apache) configuration settings.

Wondering why this framework code still uses the ".inc" extension?

Shouldn't the OWASP recommendation be heeded?
 
Read Message
Read Message
Read Message
Read Message
Previous Topic: metadata vs. business logic
Next Topic: Framework Version
Goto Forum:
  


Current Time: Fri Nov 08 19:48:12 EST 2024

Total time taken to generate the page: 0.01021 seconds