security_tips.html revision 2def4b444619c4a3f1508662c0feee58cd96a3ba
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Apache HTTP Server Documentation</TITLE>
</HEAD>
<BODY>
<IMG SRC="/images/apache_sub.gif" ALT="">
<H1>Security tips for server configuration</H1>
<hr>
<P>Some hints and tips on security issues in setting up a web server. Some of
the suggestions will be general, other, specific to Apache
<HR>
<H2>Server Side Includes</H2>
<P>Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
down the spine of any sys-admin.<p>
One solution is to disable that part of SSI. To do that you use the
IncludesNOEXEC option to the <A HREF="core.html#options">Options</A>
directive.<p>
<HR>
<H2>Non Script Aliased CGI</H2>
<P>Allowing users to execute <B>CGI</B> scripts in any directory should only
be considered if;
<OL>
<LI>You trust your users not to write scripts which will deliberately or
accidentally expose your system to an attack.
<LI>You consider security at your site to be so feeble in other areas, as to
make one more potential hole irrelevant.
<LI>You have no users, and nobody ever visits your server.
</OL><p>
<HR>
<H2>Script Alias'ed CGI</H2>
<P>Limiting <B>CGI</B> to special directories gives the admin control over
what goes into those directories. This is inevitably more secure than
non script aliased CGI, but <strong>only if users with write access to the
directories are trusted</strong> or the admin is willing to test each new CGI
script/program for potential security holes.<P>
Most sites choose this option over the non script aliased CGI approach.<p>
<HR>
<H2>CGI in general</H2>
<P>Always remember that you must trust the writers of the CGI script/programs
or your ability to spot potential security holes in CGI, whether they were
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
conflict (accidentally or deliberately) with other scripts e.g. User A hates
User B, so he writes a script to trash User B's CGI database.<P>
<HR>
Please send any other useful security tips to
<A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
<p>
<HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
up <CODE>.htaccess</CODE> files which can override security features
you've configured. Here's one way to do it...<p>
In the server configuration file, put
<blockquote><code>
&lt;Directory&gt; <br>
AllowOverride None <br>
Options None <br>
&lt;Limit GET PUT POST&gt; <br>
allow from all <br>
&lt;/Limit&gt; <br>
&lt;/Directory&gt; <br>
</code></blockquote>
Then setup for specific directories<P>
This stops all overrides, Includes and accesses in all directories apart
from those named.<p><hr>
<A HREF="../"><IMG SRC="/images/apache_home.gif" ALT="Home"></A>
<A HREF="./"><IMG SRC="/images/apache_index.gif" ALT="Index"></A>
</BODY>
</HTML>