Web programming

Units WEB1P and WEB2P

Web server security

Before going on to discuss how to make your web server safe and secure, it is important to understand the nature of the threats against it.

The Internet is a wild and unregulated place, a bit like the Wild West as depicted in cowboy movies. In the movies, a masked outlaw could easily come along and rob a bank or hold up a stagecoach. After the action, he usually got away back to his hideout in the hills. Even if the posse went after him, the trail quickly became cold. It's the same with the Internet. It's relatively easy to conceal your identity and to cover your trail, so that villains can "hold up" websites and not be traced.

Browse the World Wide Web Security FAQ. A version of it can be found in Appendix C of Stein (page 723). A more recent version is on the web at http://www.w3.org/Security/Faq/.

It is an easily read introduction to many of the issues that affect website security, including issues of security on both the client and server sides, avoiding problems with CGI scripts, protecting confidential documents, denial of service attacks. Other topics include writing safe Perl scripts, maintaining privacy, and problems with particular software.

Points to note

Balance security and convenience

Of course it is possible to make your web server totally secure. Firstly, lock the computer in a secure room and don't let anyone have entry to it. Secondly, don't ever allow anyone to log in to the computer. Thirdly, don't connect it to a network and particularly not the Internet. However those steps aren't very practicable unless you're in the business of launching nuclear missiles, where security on that scale really is necessary (we hope!). Therefore, security always needs to be offset against convenience, and the management of a website involves appreciating the risks involved in providing access to a service and balancing them against the benefits of so doing. There are no perfect solutions.

Inevitably, part of the approach is to "wait and see what happens" and then respond as quickly as possible to block the intrusion, repair any damage, and hopefully detect the perpetrators. The lead organisation for many aspects of that is the CERT Coordination Center (CERT/CC) based at Carnegie Mellon University in the USA. They issue alerts, particularly about vulnerabilities revealed in software packages, and advice about how to develop software that doesn't have vulnerabilities (or that reduces the risk of them).

 

Last updated by Prof Jim Briggs of the School of Computing at the University of Portsmouth

 
The web programming units include some material that was formerly part of the WPRMP, WECPP, WPSSM and WEMAM units.