[thelist] Hide entire directory from search engines?

Stephen Rider evolt_org at striderweb.com
Sun Mar 30 10:50:11 CDT 2008

On Mar 29, 2008, at 11:20 AM, Hassan Schroeder wrote:
> On Sat, Mar 29, 2008 at 7:32 AM, Stephen Rider <evolt_org at striderweb.com 
> > wrote:
>> If nothing links to them, the bots shouldn't find them anyway.
> In theory that's true, but it only takes one inadvertent exposure --  
> via
> archived email that gets spidered, or whatever -- to blow that  
> cover. :-)

Very true.  "Security through obscurity" is lightweight.

> It's not something I'd count on for sensitive material, and too  
> often an
> 'include' will contain things like DB passwords that you *really*  
> don't
> want public.

However, if the includes are in PHP and properly coded, a hacker  
should only see the _results_ of the code and not the code itself, am  
I correct?

Damn, I knew I shouldn't have put the password in the filename!  ;)

> Outside the web root or password-protected (or in Java, in WEB-INF)
> is much safer.

True.  If you already have a gazillion pages pointing to a particular  
include, you could move the actual includes to a folder above the web  
root, and then put up like-named PHP files that require() the actual  

Hopefully there aren't hundreds of includes in that case.  Depends on  
how secure is secure for you. :)


More information about the thelist mailing list