I'm not sure about that Error Messages,
or at least the example. I know I always
find it incredibly frustrating to get
meaningless fluff back as error messages
from a website. If the error has some
meat to it I might be able to remedy the
thing myself by altering the form data
or hand-parsing the URL.
in reply to Essential CGI Security Practices
Simply saying "Invalid Login" doesn't
buy you any securty if you're sending
in the clear over the wire, so why make
it harder on the user? There are other
ways of handling brute-force attacks
that you are expressing worry about
here (think escalating delays for failures).
On the other hand, if you are truly
paranoid minimizing the information
you betray about your system is
probably a good thing e.g. paths,
server information (HTTP headers, etc.)
(unfortunately?) that means no
"Powered by Apache" feathers either ;-)
As for %ENV I stand by "Re: perlsec question".
perl -pe "s/\b;([st])/'\1/mg"