PCI Compliancy

[flamewalker]

The scan today did not pass, saying we need Apache 2.2.6 or greater. Isn't 2.2.19 > 2.2.6? Also it says I need to set up a non-standard 403 response that doesn't mirror the HTTP request back to the user. Wouldn't that break the standard functionality of a 403 error??

TIA.

 

[flamewalker]

Actually I am currently on 2.2.17, but see the update for 2.2.19 via custombuild.

 

[Icheb]

Hmm, the non-standard stuff won't break anything.
It's not like you're replacing the default 403 with a HTTP 200, it's more like creating your own page with 'Sorry, you do not have access to this page'.

I don't want to criticize... but;
If you're serious about getting PCI compliant, and you are having problems coping technically, won't the fact you cannot do it yourself, and you have no fallback cause compliancy issues in your procedures?


If you haven't disabled the default 'Hello, I am Apache version blah' footer in 404/403 yet, you can see what you're running there.
When you've confirmed that, please disable that footer (Apache's serversignature)... You'll provide people with too much information if it's enabled...