There’s a lot of linkage to this initially entertaining account of how one user thought CentOS, a Linux distribution, was responsible for “hacking” into his site, when all that had gone wrong was that he was seeing the default Apache page. But while the geek crowd crack in-jokes and snigger at this fool (and make no mistake, he is a fool, being paranoid to think he was hacked in first place, incredibly slow on the uptake, and willing to threaten them with a visit from the FBI), they are missing the point. The real reason why the guy wasted all their time with this was not because he was an idiot, but because their Apache test page is so shittily designed. Don’t believe me? Then take a look at it.
For starters, there is no good reason why the OS should be mentioned in such big letters at the top of the page, or the logo shown. I can’t think of many actual production websites that say which OS they run on, with good reason – it is totally irrelevant to the average end user. If they see it, they’re not going to understand. On the other hand, if you are actually the person who’s administrator on the box, then you already know what the OS and server are – you’re the one who installed them. All you need to know when installing Apache is whether you’ve got it to work; a simple success message with the current time is what you need.
Granted, OS and HTTP server information are useful for collecting statistics about usage, but for this purpose they can (and indeed should) be included in the headers so they can be collated automatically. Speaking of HTTP headers, total aside – I might have linked to Fun with HTTP headers before, but it’s worth linking again.
Right back to my point. Of course, whoever came up with this design were vaguely aware of this, as after inserting the CentOS logo they have had to insert a long tedious explanation about what CentOS actually is, and “please don’t complain to us, we just provide the OS for this, we do not host this site” explanation that continues long down the page. Any self-respecting hacker would pause to think that if your 20-line code works OK but needs a 200-line patch to avoid problems when it comes to implementation, perhaps it’s best to reconsider your approach and see if there is a better way. But with text, they don’t seem to be willing to do the same. In this case, they could have avoided all the kerfuffle by having a very boring logo-less, Times New Roman-rendered message with a default colour background; making your default test page look pants makes it very clear that it is intended to be a default test page.
And while they were at it, they could have got rid of the instructions for the developer/installer – they should only be in the installation documentation, it’s easier that way and avoids the two sets of instructions getting out of sync and possibly contradicting. Get rid of that, and what you’re left with is little more than:
Default Test Page
This is the default test page for www.hostname.com. If you are not expecting this page to be here, then you should contact the webmaster at email@example.com.
Apache server at www.hostname.com 12:00:00 (UTC) 01/01/2006
Just as you can’t legislate against stupidity, you can’t code against stupidity: nothing you write is ever going to stop people being stupid. But you can certainly code (and legislate) to prevent them from going down the stupid and protect everyone else from its worst excesses.