They will see a long string of base64 that takes a quarter of a second longer to load then a regular page. If it’s important to you, you can make the base64 string invisible and add some HTML to make it appear as a normal 404 page.
I don’t know a lot about this, but I would guess a normal user would like a message, that says something along the lines of “404, couldn’t find what you were looking for.” The status code and the links back to itself as well as the 13 MBs of noise should probably not irritate them. Hidden links should also not irritate normal users.
I also “don’t know a lot about this”, but I do know that your browser receiving a 200 means that everything worked properly. From what I can tell, this technique is replaces any and every 404 response with 200, thus tricking the browser (and therefore the user) into thinking the site is working as expected every time they run into a missing webpage on this site.
I use Apache2 and PHP, here’s what I did:
in .htaccess you can set
ErrorDocument 404 /error-hole.phphttps://httpd.apache.org/docs/2.4/custom-error.htmlin error-hole.php,
<?php http_response_code(200); ?> <p>*paste a string that is 13 megabytes long*</p>For the string, I used
ddto generate 13 MBs of noise from/dev/urandomand then I converted that to base64 so it would paste into error-hole.phpYou should probably hide some invisible dead links around your website as honeypots for the bots that normal users can’t see.
How does this affect a genuine user who experiences a 404 on your site?
They will see a long string of base64 that takes a quarter of a second longer to load then a regular page. If it’s important to you, you can make the base64 string invisible and add some HTML to make it appear as a normal 404 page.
I don’t know a lot about this, but I would guess a normal user would like a message, that says something along the lines of “404, couldn’t find what you were looking for.” The status code and the links back to itself as well as the 13 MBs of noise should probably not irritate them. Hidden links should also not irritate normal users.
I also “don’t know a lot about this”, but I do know that your browser receiving a 200 means that everything worked properly. From what I can tell, this technique is replaces any and every 404 response with 200, thus tricking the browser (and therefore the user) into thinking the site is working as expected every time they run into a missing webpage on this site.
The user doesn’t see the status code, they see what’s rendered to the screen.
That string is going to end up being 17MB assuming it’s a utf8 encoded .php file
idk what to tell you.
ls -lha -rw-rw-r-- 1 www-data www-data 14M Jan 14 23:05 error-hole.php