www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-26 05:42:34 +03:00
Code Activity
Files
e1bfbe4960e658eb187bb012a391e7553cd772c8
apache/docs/manual/misc/security_tips.html
Sameer Parekh e1bfbe4960 Fix links to core.html 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@77050 13f79535-47bb-0310-9956-ffa450edef68
1996-11-26 05:36:42 +00:00

91 lines
2.8 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Apache HTTP Server Documentation</TITLE>
</HEAD>
<BODY>
<!--#include virtual="header.html" -->
<H1>Security tips for server configuration</H1>
<hr>
<P>Some hints and tips on security issues in setting up a web server. Some of
the suggestions will be general, other, specific to Apache
<HR>
<H2>Server Side Includes</H2>
<P>Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
down the spine of any sys-admin.<p>
One solution is to disable that part of SSI. To do that you use the
IncludesNOEXEC option to the <A HREF="../mod/core.html#options">Options</A>
directive.<p>
<HR>
<H2>Non Script Aliased CGI</H2>
<P>Allowing users to execute <B>CGI</B> scripts in any directory should only
be considered if;
<OL>
<LI>You trust your users not to write scripts which will deliberately or
accidentally expose your system to an attack.
<LI>You consider security at your site to be so feeble in other areas, as to
make one more potential hole irrelevant.
<LI>You have no users, and nobody ever visits your server.
</OL><p>
<HR>
<H2>Script Alias'ed CGI</H2>
<P>Limiting <B>CGI</B> to special directories gives the admin control over
what goes into those directories. This is inevitably more secure than
non script aliased CGI, but <strong>only if users with write access to the
directories are trusted</strong> or the admin is willing to test each new CGI
script/program for potential security holes.<P>
Most sites choose this option over the non script aliased CGI approach.<p>
<HR>
<H2>CGI in general</H2>
<P>Always remember that you must trust the writers of the CGI script/programs
or your ability to spot potential security holes in CGI, whether they were
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
conflict (accidentally or deliberately) with other scripts e.g. User A hates
User B, so he writes a script to trash User B's CGI database.<P>
<HR>
Please send any other useful security tips to
<A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
<p>
<HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
up <CODE>.htaccess</CODE> files which can override security features
you've configured. Here's one way to do it...<p>
In the server configuration file, put
<blockquote><code>
&lt;Directory&gt; <br>
AllowOverride None <br>
Options None <br>
&lt;Limit GET PUT POST&gt; <br>
allow from all <br>
&lt;/Limit&gt; <br>
&lt;/Directory&gt; <br>
</code></blockquote>
Then setup for specific directories<P>
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
View Git Blame Copy Permalink