Open alexmbird opened 1 week ago
Obscurity ain't so bad! I wouldn't want to worry about one more attack vector either. Ideally, I wouldn't even want to host the webadmin on the same server.
But there is already a change that is cooking for this exact purpose AFAIK.
;)
Thank you for adding the robots tkt Ideally and code binding http or https should have it
What about implementing the security.txt spec? Maybe it is already done
@mdecimus that was quick, thanks :)
Which feature or improvement would you like to request?
I'd like to see this feature:
At present, when using Stalwart's (brilliant) feature to get LetsEncrypt certificates its HTTP (+HTTPS?) interfaces must be exposed to the whole world. From a security perspective this is undesirable - Stalwart installations will get indexed by Google et al, so if ever there's a vulnerability they'll be easy to find and exploit.
That's not just a theoretical concern - two people's Stalwart installations already show up on Google:
To prevent this it'd be nice to have:
/robots.txt
discouraging search engines from indexing Stalwart installationsHits to
/.well-known
will need to bypass the restriction as LetsEncrypt don't publish the IP ranges their challenges come from.Is your feature request related to a problem?
I'm having a problem with...
Code of Conduct