18.2. Using HTTP Authentication

In addition to keeping your web server itself secure, another dimension of security you may need to consider is how to restrict access to your web server — or at least certain parts of it — to particular people. For example, if you run a personal website, you may want to have a section of the site with information that only family members should see; or for a business site, there may be a portion intended for public consumption and other pages to which only employees should have access. When the problem is regulating who can see certain pages and who can't, the solution is to use some form of authentication. In most cases, this means nothing more than asking users to type a username and password and then checking that they're valid before delivering web pages.

There are many ways of authenticating web access, and each has its pros and cons. Almost all of them involve some sort of programming — writing code that accepts input from a form on a web page and then takes the appropriate action. But another option exists, which requires no programming at all and is completely platform-neutral. Because this approach, called HTTP authentication, relies on features built into browsers rather than server-side logic, it lets you restrict access to certain files with very little effort.

HTTP authentication works like this: A visitor types the URL for a protected portion of your site and his or her browser displays a login window over a blank page. Each browser ...

Get Mac® Security Bible now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.