Comments on: Why proper error handling is important

By: g1smd

g1smd — Sat, 20 Mar 2010 17:53:05 +0000

I asked for a second opinion since you’re so set on this. Here’s a summary of the reply I received.

A badly-written (or malicious) script intentionally or otherwise using HTTP/1.0 to send requests received by an IP-based server (i.e. one having a unique IP address which therefore *can* be reached with an HTTP “Host” header) will lead to an infinite redirection loop. Since this violates his own stated preference “to minimize redirects,” it seems a no-brainer to support/properly-handle HTTP/1.0 requests by excluding blank hostnames from being redirected.

The same can be said for the uppercase domains: Sure, the *server* is case-insensitive, but do you want to rely on the “kindness of others” not go and create a bunch of mis-cased links to your site? Google and the other majors may sort this in their back-end processing, but what if they drop the ball? What about other search engines, are they that smart, too? I say, delete the [NC] and get on with it.

On the Web, one cannot discount the fact that many access requests come from incompetent and/or malicious scripters. I want my server’s function and my page’s SERP rankings under *my* control, thank you very much.

Please also note that the quotes around “.ht*” in the “” directive are “smart quotes” or “high-bit-set character-code quotes” and will either crater the server with a HTTP 500 Error, or just not work — and I haven’t got time to test which one right now.

For myself, I’d follow the Apache recommendation here, and use

Deny from all

instead.
.

That’s the problem with .htaccess. It’s very compact, very powerful server configuration code. There’s often many ways to apparently achieve the same thing, but some might have flaws that have catastrophic consequences for rankings and traffic even though the code ‘appears’ to work. In addition there are many other ways to try to do some jobs that are totally inappropriate. I look back at code I wrote several years ago, and now change it in several ways using the various things I have learned since then.

By: Sebastian

Sebastian — Fri, 19 Mar 2010 20:30:33 +0000

Taking the risk of driving you and JdMorgan from WMW as well crazy, we can agree on this?

RewriteCond %{HTTP_HOST} !^(www\.canonical-server-name\.com)?$ [NC]

By: g1smd

g1smd — Fri, 19 Mar 2010 17:16:55 +0000

No. Your original rule WILL correctly redirect both example.com:80 (port number) and example.com. (trailing period) requests, but it WILL NOT redirect non-canonical www.example.com:80 and www.example.com. requests as originally coded.

In the interests of fixing all non-canonical incoming links, the proposed replacement does fix ALL of those problems. I prefer to redirect all non-canonical requests (incorrect protocol, sub-domain, domain, TLD, trailing period, port number, or combination of those) to the canonical form.

As for HTTP/1.0, it is so easy to add support for that, that it seems pointless to not do so. I know that most so-called HTTP/1.0 requests DO include a valid host header, but it only takes one request to arrive without and you potentially have a self-DOS problem on your hands.

By: Sebastian

Sebastian — Fri, 19 Mar 2010 16:46:20 +0000

g1smd, I disagree, and here’s why:

Server names aren’t case sensitive. wWw.ExamplE.COM == www.example.com. Since URIs with just uppercase/lowercase differences in the server name part aren’t different at all, there’s no point in redirecting for cosmetic reasons. All uppercase server names may look pretty ugly, but technically that’s not an issue. Also, avoiding redirects when possible is a good idea.

I consider requests with a port number faulty, or even abusive, hence I redirect them. That works both for :80 (http) and :443 (https). We don’t deal with crappy AOL proxies from the last century any more.

As for HTTP/1.0 requests, those are rare nowadays, and mostly faked, that is they tell HTTP/1.0 but provide an HTTP/1.1 host header. True HTTP/1.0 requests are dead, those ancient user agents can’t even handle virtual hosts (many domains sharing one IP). So when there’s no point for anybody in performing HTTP/1.0 requests at all, why should I still support them?

Agree?

By: g1smd

g1smd — Thu, 18 Mar 2010 20:40:11 +0000

I was surprised to see your “Proper Error Handling” code has several points of failure.

This line in particular:

RewriteCond %{HTTP_HOST} !^www\.canonical-server-name\.com [NC]

It fails to redirect www with port number or trailing period; also fails for wrong casing.

It also crates an infinite loop for HTTP/1.0 requests because host header is blank for HTTP/1.0 requests.

Simple solution, replace [NC] with $, and add ( ) and ?:

RewriteCond %{HTTP_HOST} !^(www\.canonical-server-name\.com)?$

By: ‘I Robot’ with SebastianX of ‘Sebastian’s Pamphlets’ > Robots.txt Help - Hobo SEO UK

Wed, 09 Jan 2008 23:48:15 +0000

[…] Why proper error handling is important […]

By: Upgrading from IIS/ASP to Apache/PHP

Upgrading from IIS/ASP to Apache/PHP — Tue, 11 Dec 2007 20:47:44 +0000

[…] I refuse to discuss IIS error handling. On Apache servers you simply put ErrorDocument directives in your root’s .htaccess file: ErrorDocument 401 /get-the-fuck-outta-here.asp ErrorDocument 403 /get-the-fudge-outta-here.asp ErrorDocument 404 /404handler.php ErrorDocument 410 /410-gone-forever.asp ErrorDocument 503 /410-down-for-maintenance.asp # … Options -Indexes Then create neat pages for each HTTP response code which explain the error to the visitor and offer alternatives. Of course you can handle all response codes with one single script: ErrorDocument 401 /error.php?errno=401 ErrorDocument 403 /error.php?errno=403 ErrorDocument 404 /404handler.php ErrorDocument 410 /error.php?errno=410 ErrorDocument 503 /error.php?errno=503 # … Options -Indexes Note that relative URLs in pages or scripts called by ErrorDocument directives don’t work. Don’t use absolute URLs in ErrorDocument directives itself, because this way you get 302 response codes for 404 errors and crap like that. If you cover the 401 response code with a fully qualified URL, your server will explode. (Ok, it will just hang but that’s bad enough.) For more information please read my pamphlet Why error handling is important. […]

By: Riccardo Giuntoli

Riccardo Giuntoli — Wed, 21 Nov 2007 06:51:48 +0000

Thank you for this good guide.

There’s a nice tool to build .htaccess file directly on web with a simple form:

www . htaccesseditor . com /en.shtml [Delinked, the first .htaccess code generation I’ve tried produces utterly bullshit. If you use the code for www vs. non-www canonicalization from this page you create an exploit enabling negative SEO.]

Best regards, Riccardo Giuntoli.

By: SEO-sanitizing a WordPress theme in 5 minutes

SEO-sanitizing a WordPress theme in 5 minutes — Fri, 31 Aug 2007 15:25:24 +0000

[…] to your theme’s error page. If you don’t blog in the root, learn here how you should handle HTTP errors outside the /blog/ directory. Load 404.php in an ASCII editor to check whether it will actually send a 404 response. If the very […]

By: Google Webmasters Help FAQ » Blog Archive » Error handling and robots.txt (Apache)

Fri, 24 Aug 2007 09:16:38 +0000

[…] Reprinted with permission […]