Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's barely a vulnerability. Many open source projects have theirs public. It might be a problem if the company's system was terrible and relied on security through obscurity; but maybe they don't care. The engineers who think it's a big deal may have tunnel vision. That can happen if you spend years in a very narrow area.


It's standard practice not to serve any hidden files (starting with .) over HTTP. The fact that .gitignore is served can indicate they don't block .paths, so lots of other things could slip through (.aws for instance).


Is that a standard now? Who's going to tell the guys using .well-known?


It has always been standard, it was the #1 thing to do when setting up Apache back when Apache was the standard and nginx was still this obscure Russian porn web server.

.well-known is much more recent and an exception. Can you think of any other .file or .folder which is wise to be exposed publicly?


I was around back then and uploading websites, (version controlling on svn, not git), and I do not recall it being a standard. The closest standard I can think of is .htaccess files (which we did upload) for various vhost specific settings.

What is your basis for this standard? Was there a mailing list agreement I missed?


That is an apacheism to avoid serving .htaccess which can include hashed passwords. It's not a general thing.


.plan


Mastodon actually uses .well-known for Webfinger stuf.


Are you sure it isn't .ht* that's blocked? That's what the default config is on my system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: