Picto thématique

Rule n° 217 - The server sends a customised 403 “Forbidden” error page.

When the Internet user tries to consult a forbidden page (a request to display the contents of a directory, for example), the server does not send a 404 (not found) page but a 403 (forbidden) page, which is very unsympathetic. As in the case of error 404, this page can be customised with the colours of the site visited.

#Server and performances #Development

Goal

  • Reassure users that they are still on the same website.
  • Allow the webmaster to provide guidance to your users.
  • Inform users of the error encountered and of the server’s continuing operation.
  • Inform users that the problem isn't caused by their connectivity.

Implementation

Modify the web server configuration to send the user to a customised page when access to the requested resource is not allowed.

If the main server configuration is not directly accessible and if the environment allows it, use a local configuration by directory. For example, the Apache environment authorises the creation of an .htaccess file containing directives relating to error handling: ErrorDocument 403 /mapage.html.

Control

For each audited site:

  • Obtain a 403 error page, for this, you can remove the last part of the URL address of one of the images of the site to keep only the name of the directories present between the slashes of this address, for example: https: //www.example/com/img/. The page displayed should then be a 403 error page.
  • Check that the page returned does not correspond to the 403 page returned by default by the server (Apache, IIS, Nginx) but to a custom error page, with graphics that are consistent with the website in general.

By Opquast - Read the license