It is difficult for us to ensure the security of a Web program, because the ghost knows what new vulnerabilities will emerge tomorrow, and the ghost knows whether a module is written by a security-free programmer. Most Web scanners (including the upload and Management backend scanners) determine whether a page exists by judging the HTTP 200 return, these scans start to scan vulnerabilities. Since internal logic cannot be strictly controlled, let's talk about the bottleneck of input/output. When incorrect passwords or permissions fail to be entered, we will return a 400 Error HTTP message to mislead the scanner to stop scanning (including which manual intruders). Take PHP as an example:
<? Php ob_start (); if ('Password '! = $ _ GET ['Password']) header ("HTTP/1.1 404 Not Found");?> <! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN"> <HTML> <HEAD> <TITLE> Sample </TITLE> </HEAD> <BODY> </BODY> </HTML> <? Php ob_end_flush ();?>