Table of Contents

Forward to Introduction

Alert

Do your part to keep the WWW Security FAQ up to date. See below for submitting corrections and updates.

Mirrors

See this page for a listing of mirror sites or if you are interested in becoming a mirror site yourself.

CONTENTS

1. Introduction
2. What's New?
3. General Questions
   • Q1 What's to worry about?
   • Q2 Exactly what security risks are we talking about?
   • Q3 Are some Web servers and operating systems more secure than others?
   • Q4 Are some Web server software programs more secure than others?
   • Q5 Are CGI scripts insecure?
   • Q6 Are server-side includes insecure?
   • Q7 What general security precautions should I take?
   • Q8 Where can I learn more about network security?
4. Running a Secure Server
   • Q9 How do I set the file permissions of my server and document roots?
   • Q10 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
   • Q11 I heard that running the server as "root" is a bad idea. Is this true?
   • Q12 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
   • Q13 Can I make my site completely safe by running the server in a "chroot" environment?
   • Q14 My local network runs behind a firewall. How can I use it to increase my Web site's security?
   • Q15 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
   • Q16 How can I detect if my site's been broken into?
5. Protecting Confidential Documents at Your Site
   • Q17 What types of access restrictions are available?
   • Q18 How safe is restriction by IP address or domain name?
   • Q19 How safe is restriction by user name and password?
   • Q20 What is user verification?
   • Q21 How do I restrict access to documents by the IP address or domain name of the remote browser?
   • Q22 How do I add new users and passwords?
   • Q23 Isn't there a CGI script to allow users to change their passwords online?
   • Q24 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
   • Q25 How does encryption work?
   • Q26 What are: SSL, SHTTP, Shen?
   • Q27 Are there any "freeware" secure servers?
   • Q28 Can I use Personal Certificates to Control Server Access?
   • Q29 How do I accept credit card orders over the Web?
   • Q30 What are: First Virtual Accounts, DigiCash, Cybercash?
6. CGI Scripts
   • Q31 What's the problem with CGI scripts?
   • Q32 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
   • Q33 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
   • Q34 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
   • Q35 What CGI scripts are known to contain security holes?
   • Q36 I'm developing custom CGI scripts. What unsafe practices should I avoid?
   • Q37 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
   • Q38 Is it safe to rely on the PATH environment variable to locate external programs?
   • Q39 I hear there's a package called cgiwrap that makes CGI scripts safe?
   • Q40 People can only use scripts if they're accessed from a form that lives on my local system, right?
   • Q41 Can people see or change the values in "hidden" form variables?
   • Q42 Is using the "POST" method for submitting forms more private than "GET"?
   • Q43 Where can I learn more about safe CGI scripting?
7. Safe Scripting in Perl
   • Q44 How do I avoid passing user variables through a shell when calling exec() and system()?
   • Q45 What are Perl taint checks? How do I turn them on?
   • Q46 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX" every time I try to run it!
   • Q47 How do I "untaint" a variable?
   • Q48 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
   • Q49 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
   • Q50 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?
8. Server Logs and Privacy
   • Q51 What information do readers reveal that they might want to keep private?
   • Q52 Do I need to respect my readers' privacy?
   • Q53 How do I avoid collecting too much information?
   • Q54 How do I protect my readers' privacy?
9. Client Side Security
   • Q55 Can I be attacked just by opening an e-mail message?
   • Q56 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
   • Q57 Is there anything else I should keep in mind regarding external viewers?
   • Q58 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
   • Q59 How secure is the encryption used by SSL?
   • Q60 When I try to view a secure page, the browser complains that the site certificate doesn't match the server and asks me if I wish to continue. Should I?
   • Q61 When I try to view a secure page, the browser complains that it doesn't recognize the authority that signed its certificate and asks me if I want to continue. Should I?
   • Q61 How private are my requests for Web documents?
   • Q62 What's the difference between Java and JavaScript?
   • Q63 Are there any known security holes in Java?
   • Q64 Are there any known security holes in JavaScript?
   • Q65 What is ActiveX? Does it pose any risks?
   • Q66 Do "Cookies" Pose any Security Risks?
   • Q67 I hear there's an e-mail message making the rounds that can trash my hard disk when I open it. Is this true?
   • Q68 Can one Web site hijack another's content?
   • Q69 Can my web browser reveal my LAN login name and password?
   • Q70 Are there any known problems with Microsoft Internet Explorer?
   • Q71 Are there any known problems with Netscape Communicator?
   • Q72 Are there any known problems with Lynx for Unix?
10. Specific Servers
    • Windows NT Servers
      • Q73 Are there any known problems with the Netscape Servers?
      • Q74 Are there any known problems with the WebSite Server?
      • Q75 Are there any known problems with Purveyor?
      • Q76 Are there any known problems with Microsoft IIS?
      • Q77Are there any known security problems with Sun Microsystem's JavaWebServer?
      • Q78Are there any known security problems with the MetaInfo MetaWeb Server?
    • Unix Servers
      • Q79 Are there any known problems with NCSA httpd?
      • Q80 Are there any known problems with Apache httpd?
      • Q81 Are there any known problems with the Netscape Servers?
      • Q82 Are there any known problems with the Lotus Domino Go Server?
      • Q83 Are there any known problems with the WN Server?
    • Macintosh Servers
      • Q84 Are there any known problems with WebStar?
      • Q85 Are there any known problems with MacHTTP?
      • Q86 Are there any known problems with Quid Pro Quo?
    • Other Servers
      • Q87 Are there any known problems with Novell WebServer?
11. Bibliography

Corrections and Updates

I welcome bug reports, updates, reports about broken links, comments and outright disagreements. Please send your comments to lstein@cshl.org. Please make sure that you are referring to the most recent version of the FAQ (maintained at http://www.w3.org/Security/Faq/); someone else might have caught the problem before you.

Please understand that I maintain the FAQ on a purely voluntary basis, and that I may fall behind on making updates when other responsibilities intrude. You can help me out by making an attempt to identify replacement links when reporting a broken one, and by suggesting appropriate rewording when you have found an error in the text. Suggestions for new questions and answers are welcomed, particularly if you are willing to contribute the text yourself. ;-)

Table of Contents

Forward to Introduction

Last modified: Sun Dec 20 15:34:34 MET 1998