Failed PCI compliance - 403 (Forbidden)

Question

Due to a recent upgrade in the scanning done by our PCI compliance testers, we recently failed a PCI, and the suggested solution is as follows:

Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses.

Our main site is running a drupal installation, and the drupal .htaccess file has the following entry:

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php

In order to rectify the above, is this a simple matter of adding the following:

ErrorDocument 403 /index.php

Or do I need to do something more complicated?

Is that really in the domain of PCI compliance? It's OK to return a 404 and 403 error, but their messages have to be the same? jeesh. — thinice, Feb 01 '12 at 02:13

3dinfluence · Accepted Answer · 2012-02-01T01:59:47.793

1

I would just set your 403 and 404 error pages in /admin/config/system/site-information to be the same page/node.

By default Drupal is already handling your error pages unless you have already modified your .htaccess file. The downside to making changes to the .htaccess file is that every time you update Drupal you have to be careful to preserve your changes.

edited Feb 01 '12 at 01:59

answered Feb 01 '12 at 01:47

3dinfluence

12,409
2
27
41

Failed PCI compliance - 403 (Forbidden)

1 Answers1