You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sl...@apache.org on 2001/10/02 17:37:34 UTC

cvs commit: httpd-docs-1.3/htdocs/manual/misc security_tips.html

slive       01/10/02 08:37:34

  Modified:    htdocs/manual/misc security_tips.html
  Log:
  Add an index.
  Submitted by:	Allan Liska <al...@allan.org>
  
  Revision  Changes    Path
  1.24      +23 -6     httpd-docs-1.3/htdocs/manual/misc/security_tips.html
  
  Index: security_tips.html
  ===================================================================
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/security_tips.html,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -d -b -u -r1.23 -r1.24
  --- security_tips.html	2001/09/24 01:36:41	1.23
  +++ security_tips.html	2001/10/02 15:37:34	1.24
  @@ -15,6 +15,23 @@
   <!--#include virtual="header.html" -->
   <H1 ALIGN="CENTER">Security Tips for Server Configuration</H1>
   
  +
  +<ul>
  +<li><a href="#serverroot">Permissions on ServerRoot Directories</a></li>
  +
  +<li><a href="#ssi">Server Side Includes</a>
  +
  +<li><a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>
  +
  +<li><a href="#saliasedcgi">Script Aliased CGI</a></li>
  +
  +<li><a href="#cgi">CGI in General</a></li>
  +
  +<li><a href="#systemsettings">Protecting System Settings</a></li>
  +
  +<li><a href="#protectserverfiles">Protect Server Files by Default</a></li>
  +</ul>
  +
   <HR>
   
   <P>Some hints and tips on security issues in setting up a web server. Some of
  @@ -69,7 +86,7 @@
   may be able to overwrite the log itself with bogus data.
   <P>
   <HR>
  -<H2>Server Side Includes</H2>
  +<h2><a name="ssi">Server Side Includes</a></h2>
   <P>Server side includes (SSI) can be configured so that users can execute
   arbitrary programs on the server. That thought alone should send a shiver
   down the spine of any sys-admin.<P>
  @@ -80,7 +97,7 @@
   
   <HR>
   
  -<H2>Non Script Aliased CGI</H2>
  +<h2><a name="nsaliasedcgi">Non Script Aliased CGI</a></h2>
   <P>Allowing users to execute <STRONG>CGI</STRONG> scripts in any directory
   should only
   be considered if;
  @@ -93,7 +110,7 @@
   </OL><P>
   <HR>
   
  -<H2>Script Alias'ed CGI</H2>
  +<h2><a name="saliasedcgi">Script Aliased CGI</a></h2>
   <P>Limiting <STRONG>CGI</STRONG> to special directories gives the admin
   control over
   what goes into those directories. This is inevitably more secure than
  @@ -104,7 +121,7 @@
   Most sites choose this option over the non script aliased CGI approach.<P>
   
   <HR>
  -<H2>CGI in general</H2>
  +<h2><a name="cgi">CGI in General</a></h2>
   <P>Always remember that you must trust the writers of the CGI script/programs
   or your ability to spot potential security holes in CGI, whether they were
   deliberate or accidental.<P>
  @@ -121,7 +138,7 @@
   <HR>
   
   
  -<H2>Stopping users overriding system wide settings...</H2>
  +<h2><a name="systemsettings">Protecting System Settings</a></h2>
   <P>To run a really tight ship, you'll want to stop users from setting
   up <CODE>.htaccess</CODE> files which can override security features
   you've configured. Here's one way to do it...<P>
  @@ -141,7 +158,7 @@
   from those named.<P>
   <HR>
   <H2>
  - Protect server files by default
  +<a name="protectserverfiles">Protect Server Files by Default</a>
   </H2>
   <P>
   One aspect of Apache which is occasionally misunderstood is the feature