docs/manual/misc/security_tips.html - httpd - Git at Google

 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <HTML>
 <HEAD>
 <TITLE>Apache HTTP Server Documentation</TITLE>
 </HEAD>

 <BODY>
 <IMG SRC="../images/apache_sub.gif" ALT="">
 <H1>Security tips for server configuration</H1>

 <hr>

 <P>Some hints and tips on security issues in setting up a web server. Some of
 the suggestions will be general, other, specific to Apache

 <HR>

 <H2>Server Side Includes</H2>
 <P>Server side includes (SSI) can be configured so that users can execute
 arbitrary programs on the server. That thought alone should send a shiver
 down the spine of any sys-admin.<p>

 One solution is to disable that part of SSI. To do that you use the
 IncludesNOEXEC option to the <A HREF="core.html#options">Options</A>
 directive.<p>

 <HR>

 <H2>Non Script Aliased CGI</H2>
 <P>Allowing users to execute <B>CGI</B> scripts in any directory should only
 be considered if;
 <OL>
  <LI>You trust your users not to write scripts which will deliberately or
 accidentally expose your system to an attack.
  <LI>You consider security at your site to be so feeble in other areas, as to
 make one more potential hole irrelevant.
  <LI>You have no users, and nobody ever visits your server.
 </OL><p>
 <HR>

 <H2>Script Alias'ed CGI</H2>
 <P>Limiting <B>CGI</B> to special directories gives the admin control over
 what goes into those directories. This is inevitably more secure than
 non script aliased CGI, but <strong>only if users with write access to the
 directories are trusted</strong> or the admin is willing to test each new CGI
 script/program for potential security holes.<P>

 Most sites choose this option over the non script aliased CGI approach.<p>

 <HR>
 <H2>CGI in general</H2>
 <P>Always remember that you must trust the writers of the CGI script/programs
 or your ability to spot potential security holes in CGI, whether they were
 deliberate or accidental.<p>

 All the CGI scripts will run as the same user, so they have potential to
 conflict (accidentally or deliberately) with other scripts e.g. User A hates
 User B, so he writes a script to trash User B's CGI database.<P>

 <HR>

 Please send any other useful security tips to
 <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
 <p>
 <HR>

 <H2>Stopping users overriding system wide settings...</H2>
 <P>To run a really tight ship, you'll want to stop users from setting
 up <CODE>.htaccess</CODE> files which can override security features
 you've configured. Here's one way to do it...<p>

 In the server configuration file, put
 <blockquote><code>
 &lt;Directory&gt; <br>
 AllowOverride None <br>
 Options None <br>
 &lt;Limit GET PUT POST&gt; <br>
 allow from all <br>
 &lt;/Limit&gt; <br>
 &lt;/Directory&gt; <br>
 </code></blockquote>

 Then setup for specific directories<P>

 This stops all overrides, Includes and accesses in all directories apart
 from those named.<p><hr>

 <A HREF="../"><IMG SRC="../images/apache_home.gif" ALT="Home"></A>
 <A HREF="./"><IMG SRC="../images/apache_index.gif" ALT="Index"></A>

 </BODY>
 </HTML>
	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
	<HTML>
	<HEAD>
	<TITLE>Apache HTTP Server Documentation</TITLE>
	</HEAD>

	<BODY>
	<IMG SRC="../images/apache_sub.gif" ALT="">
	<H1>Security tips for server configuration</H1>

	<hr>

	<P>Some hints and tips on security issues in setting up a web server. Some of
	the suggestions will be general, other, specific to Apache

	<HR>

	<H2>Server Side Includes</H2>
	<P>Server side includes (SSI) can be configured so that users can execute
	arbitrary programs on the server. That thought alone should send a shiver
	down the spine of any sys-admin.<p>

	One solution is to disable that part of SSI. To do that you use the
	IncludesNOEXEC option to the <A HREF="core.html#options">Options</A>
	directive.<p>

	<HR>

	<H2>Non Script Aliased CGI</H2>
	<P>Allowing users to execute <B>CGI</B> scripts in any directory should only
	be considered if;
	<OL>
	<LI>You trust your users not to write scripts which will deliberately or
	accidentally expose your system to an attack.
	<LI>You consider security at your site to be so feeble in other areas, as to
	make one more potential hole irrelevant.
	<LI>You have no users, and nobody ever visits your server.
	</OL><p>
	<HR>

	<H2>Script Alias'ed CGI</H2>
	<P>Limiting <B>CGI</B> to special directories gives the admin control over
	what goes into those directories. This is inevitably more secure than
	non script aliased CGI, but <strong>only if users with write access to the
	directories are trusted</strong> or the admin is willing to test each new CGI
	script/program for potential security holes.<P>

	Most sites choose this option over the non script aliased CGI approach.<p>

	<HR>
	<H2>CGI in general</H2>
	<P>Always remember that you must trust the writers of the CGI script/programs
	or your ability to spot potential security holes in CGI, whether they were
	deliberate or accidental.<p>

	All the CGI scripts will run as the same user, so they have potential to
	conflict (accidentally or deliberately) with other scripts e.g. User A hates
	User B, so he writes a script to trash User B's CGI database.<P>

	<HR>

	Please send any other useful security tips to
	<A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
	<p>
	<HR>

	<H2>Stopping users overriding system wide settings...</H2>
	<P>To run a really tight ship, you'll want to stop users from setting
	up <CODE>.htaccess</CODE> files which can override security features
	you've configured. Here's one way to do it...<p>

	In the server configuration file, put
	<blockquote><code>
	<Directory> <br>
	AllowOverride None <br>
	Options None <br>
	<Limit GET PUT POST> <br>
	allow from all <br>
	</Limit> <br>
	</Directory> <br>
	</code></blockquote>

	Then setup for specific directories<P>

	This stops all overrides, Includes and accesses in all directories apart
	from those named.<p><hr>

	<A HREF="../"><IMG SRC="../images/apache_home.gif" ALT="Home"></A>
	<A HREF="./"><IMG SRC="../images/apache_index.gif" ALT="Index"></A>

	</BODY>
	</HTML>