In an effort to help keep my website clean and secure, I am trying to figure our how to force any 403 (forbidden) error be sent back to the client with a 404 header, as if it doesn't exist. I do not want the URL to be rewritten and trigger the 404, I just need it to give 404 in lieu of a 403. I already have the code that sends a 403 when a directory without an index is specified: Options -Indexes Code (.htaccess):
I am not sure if that is a really wise solution. adding all 403 pages to your 404 has a downside: every now and then you may want to search your access_log stats to see if you have some REALLY missing pages on your site, either as a result of wrong links or removed pages with surviving links. if you force a 403 response coming from an actually existing apge to be a 404, you may have much greater difficulties later on to verfiy all real 404. you may find some 10x more 403 on a server than real 404. hence the real 404 will be lost in a flood of 403. the separate logging of 403 does alter on allow you to inspect your site for possible vulnerabilities or possible mod_security rules you may either modify or install for better server protection. while the 404 result either from mistyping or BLs to deleted pages and may trigger other actions from your side. if after careful consideration of a.m. you still want a forbidden to ressult in a 404, you may find in your apache system wide configuration a configuration to do so. in my opensuse environment - that would be in a system configuraiton for apache file: errors.conf has lines like ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var that redirect a particular error to its respective error page you then would change the redirected error page for your 403 ( and reboot apache ) I assume that would do your job.
I do understand the fact I will not be able have accurate logs, but this is for security purposes. I need the header of the page to be 404, not 403. Lets take Google: (They have a similar system) the URL of the Google Logo is: http://www.google.com/intl/en_ALL/images/logo.gif But try to visit the directory: http://www.google.com/intl/en_ALL/images You get a 404, even the HTTP headers state this.