You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sl...@apache.org on 2002/11/30 03:35:08 UTC
cvs commit: httpd-2.0/docs/manual/misc security_tips.xml security_tips.html.en
slive 2002/11/29 18:35:08
Modified: docs/manual/misc security_tips.xml security_tips.html.en
Log:
Note in the security docs that people should subscribe to the
announcements list.
PR: 14892
Revision Changes Path
1.5 +23 -1 httpd-2.0/docs/manual/misc/security_tips.xml
Index: security_tips.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -b -u -r1.4 -r1.5
--- security_tips.xml 17 Nov 2002 06:28:40 -0000 1.4
+++ security_tips.xml 30 Nov 2002 02:35:08 -0000 1.5
@@ -13,6 +13,28 @@
Some of the suggestions will be general, others specific to Apache.</p>
</summary>
+ <section id="uptodate"><title>Keep up to Date</title>
+
+ <p>The Apache HTTP Server has a good record for security and a
+ developer community highly concerned about security issues. But
+ it is inevitable that some problems -- small or large -- will be
+ discovered in software after it is released. For this reason, it
+ is crucial to keep aware of updates to the software. If you have
+ obtained your version of the HTTP Server directly from Apache, we
+ highly recommend you subscribe to the <a
+ href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Server Announcements List</a> where you can keep informed of
+ new releases and security updates. Similar services are available
+ from most third-party distributors of Apache software.</p>
+
+ <p>Of course, most times that a web server is compromised, it is
+ not because of problems in the HTTP Server code. Rather, it comes
+ from problems in add-on code, CGI scripts, or the underlying
+ Operating System. You must therefore stay aware of problems and
+ updates with all the software on your system.</p>
+
+ </section>
+
<section id="serverroot">
<title>Permissions on ServerRoot Directories</title>
@@ -131,7 +153,7 @@
<title>Non Script Aliased CGI</title>
<p>Allowing users to execute CGI scripts in any directory should only be
- considered if;</p>
+ considered if:</p>
<ul>
<li>You trust your users not to write scripts which will deliberately
1.9 +21 -2 httpd-2.0/docs/manual/misc/security_tips.html.en
Index: security_tips.html.en
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.html.en,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -b -u -r1.8 -r1.9
--- security_tips.html.en 17 Nov 2002 06:42:27 -0000 1.8
+++ security_tips.html.en 30 Nov 2002 02:35:08 -0000 1.9
@@ -7,7 +7,26 @@
--><title>Security Tips - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
<p>Some hints and tips on security issues in setting up a web server.
Some of the suggestions will be general, others specific to Apache.</p>
- </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
+ </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="uptodate" id="uptodate">Keep up to Date</a></h2>
+
+ <p>The Apache HTTP Server has a good record for security and a
+ developer community highly concerned about security issues. But
+ it is inevitable that some problems -- small or large -- will be
+ discovered in software after it is released. For this reason, it
+ is crucial to keep aware of updates to the software. If you have
+ obtained your version of the HTTP Server directly from Apache, we
+ highly recommend you subscribe to the <a href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Server Announcements List</a> where you can keep informed of
+ new releases and security updates. Similar services are available
+ from most third-party distributors of Apache software.</p>
+
+ <p>Of course, most times that a web server is compromised, it is
+ not because of problems in the HTTP Server code. Rather, it comes
+ from problems in add-on code, CGI scripts, or the underlying
+ Operating System. You must therefore stay aware of problems and
+ updates with all the software on your system.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
@@ -116,7 +135,7 @@
<p>Allowing users to execute CGI scripts in any directory should only be
- considered if;</p>
+ considered if:</p>
<ul>
<li>You trust your users not to write scripts which will deliberately