
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Web Security
|
315
What, When, and Where to Secure
First secure your network and the operating system on your server, or all else will be
for naught. Then work your way through the topics covered in this chapter:
Web server
Build time: obtaining and installing Apache
Setup time: configuring Apache
Web content
Static
Dynamic: SSI
Dynamic: CGI
Web applications
Authentication
Authorization
Sessions
Database access
Site management
Web services
Layers of defense
Some Principles
Before we begin, let’s draw a deep breath and meditate on the basic security mantras
that underlie what we do in this chapter:
Simplify
Configure with least privilege. Avoid running programs as root. Restrict file own-
ership and permissions. Use the simplest configuration possible to serve files,
run CGI scripts, and write logs.
Reduce
Minimize surface area; a smaller target is harder to hit. Disable or remove unneeded
accounts, functions, modules, and programs. Things that stick out can break off.
Vandalism, data tampering, or site defacement
Inadvertent file deletion or modification
Data integrity
Theft of personal information
Leakage of personal data into URLs and logs
Data confidentiality
Unauthorized use of resources
Denial of Service
Crash/freeze from resource exhaustion (e.g., memory, disk, process
space, file descriptors, or database ...