Avoid services being accessible by their IP address via HTTP
The possibility to access services by there IP address should be avoided and either redirect to a proper domain name (in case the host is dedicated for just one particular service), or result in an error page or blank page, without actually dispatching to the application.
Items:
-
https://185.17.71.143/q/status:open+-is:wip → HTTP Location: https://review.typo3.org/q/status:open+-is:wip
-
https://185.17.71.132/console → HTTP Location: https://statistics.typo3.org/console
-
in addition, retrieving the PHP source of /console
might be blocked (similar to https://statistics.typo3.org/README.md) -
side-note: NOT considered a security vulnerability, sensitive URLs (like https://statistics.typo3.org/config/config.ini.php) are blocked
-