HTTP/1.1 200 OK
Date: Tue, 15 Dec 1998 16:44:54 GMT
Server: Apache/1.2.6
Last-Modified: Wed, 01 Jul 1998 03:04:39 GMT
ETag: "2c01fc-30bf-3599a747"
Content-Length: 12479
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1
The WWW Security FAQ
The World Wide Web Security FAQ
Lincoln D. Stein
<lstein@cshl.org>
Version 1.9.0, June 30, 1998
Alert
The source code for server-side includes, including Allaire Cold
Fusion pages can be disclosed on certain Windows NT servers. See What's New for details.
Mirrors
The master copy of this document can be found at
http://www.w3.org/Security/Faq/.
See this page for a listing of mirror
sites or if you are interested in becoming a mirror site yourself.
- Introduction
- What's New?
- General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems
more secure than others?
- Q4 Are some Web server software programs more
secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
- Running a Secure Server
- Q9 How do I set the file permissions of my server
and document roots?
- Q10 I'm running a server that provides a whole
bunch of optional features. Are any of them security risks?
- Q11 I heard that running the server as "root"
is a bad idea. Is this true?
- Q12 I want to share the same document tree between my
ftp and Web servers. Is there any problem with this idea?
- Q13 Can I make my site completely safe by running
the server in a "chroot" environment?
- Q14 My local network runs behind a firewall. How can I
use it to increase my Web site's security?
- Q15 My local network runs behind a firewall. How can
I get around it to give the rest of the world access to the
Web server?
- Q16 How can I detect if my site's been broken into?
- Protecting Confidential Documents at Your Site
- Q17 What types of access restrictions are
available?
- Q18 How safe is restriction by IP address or domain name?
- Q19 How safe is restriction by user name and password?
- Q20 What is user verification?
- Q21 How do I restrict access to documents by the
IP address or domain name of the remote browser?
- Q22 How do I add new users and passwords?
- Q23 Isn't there a CGI script to allow users to
change their passwords online?
- Q24 Using
.htaccess to control
access in individual directories is so convenient, why
should I use access.conf?
- Q25 How does encryption work?
- Q26 What are: SSL, SHTTP, Shen?
- Q27 Are there any "freeware" secure servers?
- Q28 Can I use Personal Certificates to Control Server Access?
- Q29 How do I accept credit card orders over the Web?
- Q30 What are: First Virtual Accounts, DigiCash,
Cybercash?
- CGI Scripts
- Q31 What's the problem with CGI scripts?
- Q32 Is it better to store scripts in the cgi-bin
directory or to identify them using the .cgi extension?
- Q33 Are compiled languages such as C safer than
interpreted languages like Perl and shell scripts?
- Q34 I found a great CGI script on the Web and I
want to install it. How can I tell if it's safe?
- Q35 What CGI scripts are known to contain security
holes?
- Q36 I'm developing custom CGI scripts. What unsafe
practices should I avoid?
- Q37 But if I avoid eval(), exec(), popen() and system(),
how can I create an interface to my database/search engine/graphics
package?
- Q38 Is it safe to rely on the PATH environment variable
to locate external programs?
- Q39 I hear there's a package called cgiwrap that makes
CGI scripts safe?
- Q40 People can only use scripts if they're accessed from
a form that lives on my local system, right?
- Q41 Can people see or change the values in "hidden"
form variables?
- Q42 Is using the "POST" method for submitting forms
more private than "GET"?
- Q43 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q44 How do I avoid passing user variables through
a shell when calling exec() and system()?
- Q45 What are Perl taint checks? How do I turn
them on?
- Q46 OK, I turned on taint checks like you said. Now
my script dies with the message: "Insecure path at line XX"
every time I try to run it!
- Q47 How do I "untaint" a variable?
- Q48 I'm removing shell metacharacters from the
variable, but Perl still thinks it's tainted!
- Q49 Is it true that the pattern matching operation
$foo=~/$user_variable/ is unsafe?
- Q50 My CGI script needs more privileges than it's
getting as user "nobody". How do I run a Perl script as suid?
- Server Logs and Privacy
- Q51 What information do readers reveal that
they might want to keep private?
- Q52 Do I need to respect my readers' privacy?
- Q53 How do I avoid collecting too much information?
- Q54 How do I protect my readers' privacy?
- Client Side Security
- Q55 Someone suggested I configure /bin/csh as a viewer for
documents of type application/x-csh. Is this a good idea?
- Q56 Is there anything else I should
keep in mind regarding external viewers?
- Q57 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I
worry about it?
- Q58 How secure is the encryption used by SSL?
- Q59 When I try to view a secure page, the
browser complains that the site certificate doesn't match the server
and asks me if I wish to continue. Should I?
- Q60 When I try to view a secure page, the browser complains that
it doesn't recognize the authority that signed its certificate and asks me if I want to
continue. Should I?
- Q61 How private are my requests for Web documents?
- Q62 What's the difference between Java and JavaScript?
- Q63 Are there any known security holes in Java?
- Q64 Are there any known security holes in JavaScript?
- Q65 What is ActiveX? Does it pose any risks?
- Q66 Do "Cookies" Pose any Security Risks?
- Q67 Can your web browser reveal your LAN login name and password?
- Q68 Are there any known problems with Microsoft Internet Explorer?
- Q69 Are there any known problems with Netscape Communicator?
- Q70 Are there any known problems with Lynx for Unix?
- Specific Servers
- Windows NT Servers
- Q71 Are there any known problems with the Netscape Servers?
- Q72 Are there any known problems with the WebSite Server?
- Q73 Are there any known problems with Purveyor?
- Q74 Are there any known problems with Microsoft IIS?
- Q75Are there any known security problems with Sun
Microsystem's JavaWebServer?
- Q76Are there any known security problems with the
MetaInfo MetaWeb Server?
- Unix Servers
- Q77 Are there any known problems with NCSA httpd?
- Q78 Are there any known problems with Apache httpd?
- Q79 Are there any known problems with the Netscape Servers?
- Q80 Are there any known problems with the Lotus Domino Go Server?
- Q81 Are there any known problems with the WN Server?
- Macintosh Servers
- Q82 Are there any known problems with WebStar?
- Q83 Are there any known problems with MacHTTP?
- Q84 Are there any known problems with Quid Pro Quo?
- Other Servers
- Q85 Are there any known problems with Novell WebServer?
- Bibliography
Lincoln D. Stein
(lstein@cshl.org)
WWW Consortium
Last modified: Tue Jun 30 23:04:39 EDT 1998