phranque - 8:37 pm on May 2, 2012 (gmt 0)
Best course is do not publish the test folder or test domain or perhaps use an IP instead of a domain name.
if the response is a 200 OK for any requested url then that url is "published".
i've seen plenty of unwanted duplicate content in the index under IP addresses.
"security through obscurity" is not the solution here.
if you need to test handshaking between your server and another (eg: payment processors)
Allow from nnn.nnn.nnn.nnn