@mlhess wrote on #2508666: Drupal 8 .htaccess rule to prevent php file access can be easily bypassed β :
Can we build in a status check for people who may not have htaccess setup correctly. Something that says their site is insecure, like the update notices?
@pwolanin replied:
@mlhess - reliably checking Drupal by trying to make http requests to itself has problems. e.g. see: #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls β
At this point I wonder if implementing some of these checks client site (i.e. JS) would be more sensible, since clearly the browser can access the site at the point you are viewing a report page.
and @chx replied:
If you do, you need to do it with JS and/or PHP-masquerading-as-image but server-to-server requests have been attempted and failed. There are too many variations to make it work reliably. So please do not try it again :)
This issue will explore creating a solution that works in all cases.
Active
11.0 π₯
base system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Do we have a standardized way to add JS checks to /admin/reports/status?
I think this page only contains server-side checks.
@prudloff I think the idea was an Ajax or image request that sets something in key/value etc. which can then be checked the next time the page is visited.