Custom 403 Error Message
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the custom 403 error page company Business Learn more about hiring developers or posting ads with us Stack Overflow http 403 error message Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 403 error message example million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Custom Error 403 Page PHP up vote 8 down vote favorite I created a .htaccess inside a directory in
Ie 403 Error Message
which I don't want the files to be directly accessed. It works and fires the default 403 page (Access forbidden!) of the Apache server. How can I create a custom 403 page? Thanks! php apache .htaccess mod-rewrite http-status-code-403 share|improve this question edited May 27 '15 at 15:11 Dendromaniac 322114 asked Jan 2 '12 at 17:21 fart-y-goer 3372621 1 If you can check my questions, almost all of it show the code that error message 403 forbidden access is denied I have as of the time the question was asked. Unfortunately for this, I don't have any idea. Forgive me. –fart-y-goer Jan 2 '12 at 17:29 add a comment| 2 Answers 2 active oldest votes up vote 20 down vote accepted In your .htaccess file you can specify what document you want as your default 403 error document ErrorDocument 403 /dir/file.html Here the directory is relative to the document root. share|improve this answer answered Jan 2 '12 at 17:25 JK. 4,26711621 add a comment| up vote 6 down vote You can do something like the following: #Rewrite URL's RewriteEngine On RewriteRule ^404/?$ errors/404.html [NC] # Enable Error Documents # (404,File Not Found) | (403,Forbidden) | (500,Internal Server Error) ErrorDocument 404 /404 ErrorDocument 403 /404 What this is doing is turning on the RewriteEngine so we can redirect url's nicely, then we are defining using the RewriteRule that /404/ or /404 should redirect to the custom 404 page. I then state that the ErrorDocument 404 and 403 should redirect to the 404 page. I do this for security so, a user does not know whether or not a file exists or if they just don't have access. share|improve this answer answered Jan 2 '12 at 17:27 Aramael Pena-Alcantara 129117 add a comment| Your Answer draft
generic error responses in the event of 4xx or 5xx HTTP status codes, these responses are http error message 403 forbidden from detected rather stark, uninformative, and can be intimidating to site users. You may
Custom 404 Error Page
wish to provide custom error responses which are either friendlier, or in some language other than English, or
Custom 401 Error Page
perhaps which are styled more in line with your site layout. Customized error responses can be defined for any HTTP status code designated as an error condition - that http://stackoverflow.com/questions/8703540/custom-error-403-page-php is, any 4xx or 5xx status. Additionally, a set of values are provided, so that the error document can be customized further based on the values of these variables, using Server Side Includes. Or, you can have error conditions handled by a cgi program, or other dynamic handler (PHP, mod_perl, etc) which makes use of these variables. Configuration Available https://httpd.apache.org/docs/2.4/custom-error.html Variables Customizing Error Responses Multi Language Custom Error Documents See alsoComments Configuration Custom error documents are configured using the ErrorDocument directive, which may be used in global, virtualhost, or directory context. It may be used in .htaccess files if AllowOverride is set to FileInfo. ErrorDocument 500 "Sorry, our script crashed. Oh dear" ErrorDocument 500 /cgi-bin/crash-recover ErrorDocument 500 http://error.example.com/server_error.html ErrorDocument 404 /errors/not_found.html ErrorDocument 401 /subscription/how_to_subscribe.html The syntax of the ErrorDocument directive is: ErrorDocument <3-digit-code>
tour help Tour Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about http://security.stackexchange.com/questions/46171/is-it-a-good-practice-to-show-403-unauthorized-access-error-to-user Stack Overflow the company Business Learn more about hiring developers or posting ads with us Information Security Questions Tags Users Badges Unanswered Ask Question _ Information Security Stack Exchange is a question and answer site for http://www.golivecentral.com/pages/txttut/customerror.shtml information security professionals. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top error message Is it a good practice to show 403 unauthorized access error to user? up vote 18 down vote favorite 2 Whenever we see a 403 forbidden access error page we think we have got to a place where some secret or private data is present. Now at this point bad guys know that this might be of interest and start to see if they can do something to get access to 403 error message this secret data. So is it good to show this error or just redirect to some other place? Edit I am thinking of dealing with error is to redirect to separate login page to access that particular resourse. But in this case also what if I simply don't want any one (may be even admin) to have access to these resource via my application. Offcourse admin can access the same resource by some other mean at the backend. http data-leakage share|improve this question edited Dec 4 '13 at 5:08 asked Nov 28 '13 at 8:10 ThankYouSRT 1481110 migrated from webapps.stackexchange.com Nov 28 '13 at 10:51 This question came from our site for power users of web applications. Question about your app: would normal usage of the app ever take a user to an unauthorised page? Or will this only occur if the user does something unusual, such as editing the URL? –paj28 Dec 3 '13 at 14:55 In any case it can throw this error since a previously accessed urls my be revisited by some other users (as they are stored in the browser history) or any url editing too can be sometimes bad. –ThankYouSRT Dec 4 '13 at 5:03 RFC2616 says that a server shoul
user panel or some other interface. If you have that option you can stop reading right here! :-) First make the error pages. They are just standard html pages, but the links (to images etc.) must be absolute and look like this: http://www.myDomain/myImages/theImage.gif When the error pages are uploaded you need to create an .htaccess file. Here is some very important information on how to create and upload an .htaccess file: The first problem you will run into is that your OS probably won't like a file name beginning with a dot. .htaccess files actually don't have names, just an extension!! The solution is simple, save the file as htaccess.txt in GoLive and change the name to .htaccess (with the dot!) after you uploaded it. The extension .txt will force GoLive to upload the file in ASCII mode, exactly what we want! So, what should go into the .htaccess file? Here is an example: ErrorDocument 404 /errors/notfound.html
ErrorDocument 401 /errors/authreqd.html
ErrorDocument 500 /errors/internalerror.html
ErrorDocument 403 /errors/forbid.html You can name the error pages whatever you like , just make sure that you connect the right document to the right error number, and that you don't use any special characters or spaces in the paths and file names. In the example above all the error pages are located in the folder "errors", the paths must be absolute (starting with the root "/"). When you created the .htaccess file you save it, upload it and change the file name like I mentioned earlier. The .htaccess file must be located in your root folder, since it only affects the folder where it's located and all sub folders. If you place the file further down the file structure the higher levels will not get your custom error pages. You don't need to create custom pages for all errors, if you just want a 404 the server will use the default pages for all other errors. The errors that you might want to cover are: 400 - Bad request 401 - Authorization Required 403 - Forbidden 404 - Not Found 500 - Internal Server Error That's it! - michael ahgren GoLive is a registered trademark of Adobe Systems Incorporated. GoLiveCentral.com is not affiliated with, or endorsed by Adobe Systems Incorporated. Copyright© GoLiveCentral.com 2012 All Rights Reserved