Is there a way to force apache to return 404 instead of 403?

security apache mod-rewrite http-status-code-404 http-status-code-403
45,946

Solution 1

RedirectMatch as in e.g.

RedirectMatch 404 /\.

does the trick, it prohibits access to all files or directories starting with a dot, giving a "404 Not Found" error.

From the Apache manual: "The Redirect[Match] directive maps an old URL into a new one by asking the client to refetch the resource at the new location." By default, Redirect sends a 302 return code, but it can also return other status codes as shown above.

Solution 2

You can make something like this:

.htaccess

ErrorDocument 403 /error/404.php

404.php

<?php
$status = $_SERVER['REDIRECT_STATUS'] = 404;
header( $_SERVER['SERVER_PROTOCOL'] . ' ' . $status);
?>

404 Error

Solution 3

After having the same problem, I ended up with the following .htaccess file

Options -Indexes
RewriteCond %{HTTP_HOST} ^(www\.)?mydomain.com [NC]
RewriteRule ^(.*)/$ - [R=404,NC]

The 1st and 3rd line ensure that you can't list the folder content, and if you do it you will receive a 404 error. The RewriteCond directive ensures that this rewrite rule only applies to main domain. Since I have several subdomains, without the rewritecond, accessing www.mydomain.com/subdomain was also returning a 404, which was not what I intended.

Solution 4

In my opinion making this task in .htaccess is quite ugly solution.

It is possible to make it in apache configuration. Take a look:

Add to your apache config:

ErrorDocument 403 /404

Then restart apache:

service apache2 restart

That is all.

Share:
45,946
fuenfundachtzig
Author by

fuenfundachtzig

Updated on July 12, 2022

Comments

  • fuenfundachtzig
    fuenfundachtzig almost 2 years

    Is there a way how I can configure the Apache web server to return a 404 (not found) error code instead of 403 (forbidden) for some specific directories which I want to disallow to be accessed?

    I found some solutions suggesting the use of mod_rewrite, like e.g.

    RewriteEngine On
RewriteRule ^.*$ /404 [L]

    As the purpose of sending 404 instead of 403 is to obfuscate the directory structure, this solution is too revealing, because it redirects to some different location which makes it obvious that the directory originally accessed does in fact exist.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Problem redirecting 403 Forbidden to 404 Not Found
Rewrite rules to hide an url
How to configure an Apache rewrite-rule to redirect all requests to 404 unless explicitly allowed
Redirect all Apache 2.2 403 Forbidden to 404 Not Found
How to install/configure mod_reqtimeout in Apache
Removing Tomcat context from URLs for a virtual host (mod_jk, mod_rewrite)
RewriteCond not working on force https for HTTP_HOST
.htaccess in Subfolder not working
Mod_rewrite on WAMP 2.4
mod_rewrite - exclude urls