Lucee docs url

[Nando Breiter]

I'm having trouble finding the lucee docs url again. Could someone please remind me what it is? Any reason it's been excluded from the admin nav?

Thanks,

Nando

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

[Michael van Leest]

<your-host>/lucee/doc.cfm

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAGHrs%3D8QLkjOQVvxm%3DM7dJOSkiT9KLEnCAwU0QMzQOh9Rud4sg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Michael van Leest

[Nando Breiter]

Thank you Michael!

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAMaJE6uQedjQUzmyYqyF%2BOvA8i1oohfK5sBKG0_z9_muypGoJQ%40mail.gmail.com.

[Michael Offner]

It was excluded so no password is necessary to reach it

Micha

--

[Andrew Penhorwood]

Just put a link that opens a new tab / window.  Since were on the subject can we turn that off so we don't have sites that show documentation?  I can see a bot now that will go through sites look for the doc link to know that it is a Lucee site.

Andrew Penhorwood

[Andrew Dixon]

Just add a deny rule to your production web server so it can't serve it.

Kind regards,

Andrew

http://about.me/andrew_dixon

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/8218bb32-5119-4c43-a9e3-4ece7810f6f4%40googlegroups.com.

[ADK]

you could, but secure by default is the better route I think.

[Igal @ Lucee.org]

+1

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/cc0702b0-01ac-451f-beeb-a1da4ec721ce%40googlegroups.com.

[Michael Vornkahl]

+1

Michael

[Michael Offner]

We could move the doc to a extension ...

Micha

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/cc0702b0-01ac-451f-beeb-a1da4ec721ce%40googlegroups.com.

[Andrew Penhorwood]

+1

[Peter Boughton]

I think the convenience of having the docs available by default
outweighs the minor issue of telling a potential attacker which CFML
engine is being used.

Any malicious bot that might look for /lucee/doc.cfm can just as easily
look for /index.cfm to determine that a CFML engine is running, and
then try all the CFML-related exploits it has anyway (because nobody is
going to target *just* Lucee; they'll go after them all.)

It can be excluded from search engines with a noindex meta tag, plus of
course a rel="canonical" to point them at the official docs.

[Andrew Penhorwood]

The point of having the docs in an extension is those who want them can have them.  Nothing prevents you from installing it.

Andrew Penhorwood

[Peter Boughton]

The point of the word "convenience" is to indicate that installing an
extension is several extra steps, which is exactly the sort of thing
that can be frustrating for a beginner. (Those being significant if not
primary users of the documentation.)

Having a pre-installed extension which can be removed by those that
don't want it is convenient and preserves the security theatre for the
paranoid.

A better approach is probably for the installer to present a choice of
"developer mode" vs "hardened mode" which controls what is on/off by
default, since there are obviously other considerations here too.

[Andrew Penhorwood]

I think Micha already talked about having some extensions installed by default.  So I think in that case we both win.  A standard install would include the docs extension.  I can simple "uncheck" that option when I do my install.  Not that I do an install anyway since I use Jetty.

Have you ever installed Contentbox? It included items for the install then gives you a UI to remove the install components after they are not needed.  It would be great if extensions worked like along those lines.  Having followed this project since it went open source I'm sure Micha as something like that in mind.

Andrew Penhorwood.