## HIGH Priority
-- [ ] **Per-directory path stripping** explained in full across three files
+- [x] **Per-directory path stripping** explained in full across three files
(intro.xml, tech.xml, htaccess.xml) with near-identical comparison
tables in tech.xml and htaccess.xml.
→ htaccess.xml owns it; others get a brief mention + xref.
description and complexity warnings from intro.xml.
→ Rewritten as concise intro + structured guide overview.
-- [ ] **Duplicate SSRF warning in flags.xml** — two nearly identical
+- [x] **Duplicate SSRF warning in flags.xml** — two nearly identical
warning boxes within the [P] flag section.
→ Remove the literal duplicate.
<note type="warning">
<title>Security Warning</title>
<p>Take care when constructing the target URL of the rule, considering
-the security impact from allowing the client influence over the set of
-URLs to which your server will act as a proxy. Ensure that the scheme
-and hostname part of the URL is either fixed, or does not allow the
-client undue influence.</p>
+the security impact of allowing the client influence over the set of
+URLs to which your server will act as a proxy. If any part of the
+target URL is derived from user input (backreferences, query strings,
+etc.), an attacker may be able to cause your server to make requests
+to arbitrary internal or external hosts. This is known as a
+Server-Side Request Forgery (SSRF) vulnerability. Ensure that the
+scheme and hostname part of the URL is either fixed, or does not allow
+the client undue influence.</p>
</note>
<note type="warning">
<p>Note: <module>mod_proxy</module> must be enabled in order
to use this flag.</p>
-<note type="warning"><title>Security warning</title>
-<p>Take care when constructing the target URL of the rule, considering
-the security impact of allowing the client influence over the set of
-URLs to which your server will act as a proxy. If any part of the
-target URL is derived from user input (backreferences, query strings,
-etc.), an attacker may be able to cause your server to make requests
-to arbitrary internal or external hosts. This is known as a
-Server-Side Request Forgery (SSRF) vulnerability.</p>
-</note>
-
</section>
<section id="flag_pt"><title>PT|passthrough</title>
projects / thirdparty / apache / httpd.git / commitdiff
