The World Wide Web Security FAQ
Lincoln D. Stein
<lstein@cshl.org>
Version 2.0.1, September 13, 1999
DISCLAIMER
This information is provided by Lincoln Stein (lstein@cshl.org). The World Wide Web
Consortium (W3C) hosts this document as a service to the Web Community;
however, it does not endorse its contents. For further information,
please contact Lincoln Stein directly.
Alert
Your Web site's frames can be hijacked to display unauthorized
content. See What's New for details.
Do your part to keep the WWW Security FAQ up to date. See below for submitting corrections and updates.
Mirrors
The master copy of this document can be found at
http://www.w3.org/Security/Faq/.
See this page for a listing of mirror
sites or if you are interested in becoming a mirror site yourself.
- Introduction
- What's New?
- General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems
more secure than others?
- Q4 Are some Web server software programs more
secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
- Running a Secure Server
- Q9 How do I set the file permissions of my server
and document roots?
- Q10 I'm running a server that provides a whole
bunch of optional features. Are any of them security risks?
- Q11 I heard that running the server as "root"
is a bad idea. Is this true?
- Q12 I want to share the same document tree between my
ftp and Web servers. Is there any problem with this idea?
- Q13 Can I make my site completely safe by running
the server in a "chroot" environment?
- Q14 My local network runs behind a firewall. How can I
use it to increase my Web site's security?
- Q15 My local network runs behind a firewall. How can
I get around it to give the rest of the world access to the
Web server?
- Q16 How can I detect if my site's been broken into?
- Protecting Confidential Documents at Your Site
- Q17 What types of access restrictions are
available?
- Q18 How safe is restriction by IP address or domain name?
- Q19 How safe is restriction by user name and password?
- Q20 What is user verification?
- Q21 How do I restrict access to documents by the
IP address or domain name of the remote browser?
- Q22 How do I add new users and passwords?
- Q23 Isn't there a CGI script to allow users to
change their passwords online?
- Q24 Using
.htaccess
to control
access in individual directories is so convenient, why
should I use access.conf
?
- Q25 How does encryption work?
- Q26 What are: SSL, SHTTP, Shen?
- Q27 Are there any "freeware" secure servers?
- Q28 Can I use Personal Certificates to Control Server Access?
- Q29 How do I accept credit card orders over the Web?
- Q30 What are: First Virtual Accounts, DigiCash,
Cybercash?
- CGI Scripts
- Q31 What's the problem with CGI scripts?
- Q32 Is it better to store scripts in the cgi-bin
directory or to identify them using the .cgi extension?
- Q33 Are compiled languages such as C safer than
interpreted languages like Perl and shell scripts?
- Q34 I found a great CGI script on the Web and I
want to install it. How can I tell if it's safe?
- Q35 What CGI scripts are known to contain security
holes?
- Q36 I'm developing custom CGI scripts. What unsafe
practices should I avoid?
- Q37 But if I avoid eval(), exec(), popen() and system(),
how can I create an interface to my database/search engine/graphics
package?
- Q38 Is it safe to rely on the PATH environment variable
to locate external programs?
- Q39 I hear there's a package called cgiwrap that makes
CGI scripts safe?
- Q40 People can only use scripts if they're accessed from
a form that lives on my local system, right?
- Q41 Can people see or change the values in "hidden"
form variables?
- Q42 Is using the "POST" method for submitting forms
more private than "GET"?
- Q43 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q44 How do I avoid passing user variables through
a shell when calling exec() and system()?
- Q45 What are Perl taint checks? How do I turn
them on?
- Q46 OK, I turned on taint checks like you said. Now
my script dies with the message: "Insecure path at line XX"
every time I try to run it!
- Q47 How do I "untaint" a variable?
- Q48 I'm removing shell metacharacters from the
variable, but Perl still thinks it's tainted!
- Q49 Is it true that the pattern matching operation
$foo=~/$user_variable/ is unsafe?
- Q50 My CGI script needs more privileges than it's
getting as user "nobody". How do I run a Perl script as suid?
- Server Logs and Privacy
- Q51 What information do readers reveal that
they might want to keep private?
- Q52 Do I need to respect my readers' privacy?
- Q53 How do I avoid collecting too much information?
- Q54 How do I protect my readers' privacy?
- Client Side Security
- Q55 Can I be attacked just by opening an e-mail message?
- Q56 Someone suggested I configure /bin/csh as a viewer for
documents of type application/x-csh. Is this a good idea?
- Q57 Is there anything else I should
keep in mind regarding external viewers?
- Q58 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I
worry about it?
- Q59 How secure is the encryption used by SSL?
- Q60 When I try to view a secure page, the
browser complains that the site certificate doesn't match the server
and asks me if I wish to continue. Should I?
- Q61 When I try to view a secure page, the browser complains that
it doesn't recognize the authority that signed its certificate and asks me if I want to
continue. Should I?
- Q61 How private are my requests for Web documents?
- Q62 What's the difference between Java and JavaScript?
- Q63 Are there any known security holes in Java?
- Q64 Are there any known security holes in JavaScript?
- Q65 What is ActiveX? Does it pose any risks?
- Q66 Do "Cookies" Pose any Security Risks?
- Q67 I hear there's an e-mail message making the rounds that can trash my hard disk
when I open it. Is this true?
- Q68 Can one Web site hijack another's content?
- Q69 Can my web browser reveal my LAN login name and password?
- Q70 Are there any known problems with Microsoft Internet Explorer?
- Q71 Are there any known problems with Netscape Communicator?
- Q72 Are there any known problems with Lynx for Unix?
- Specific Servers
- Windows NT Servers
- Q73 Are there any known problems with the Netscape Servers?
- Q74 Are there any known problems with the WebSite Server?
- Q75 Are there any known problems with Purveyor?
- Q76 Are there any known problems with Microsoft IIS?
- Q77Are there any known security problems with Sun
Microsystem's JavaWebServer?
- Q78Are there any known security problems with the
MetaInfo MetaWeb Server?
- Unix Servers
- Q79 Are there any known problems with NCSA httpd?
- Q80 Are there any known problems with Apache httpd?
- Q81 Are there any known problems with the Netscape Servers?
- Q82 Are there any known problems with the Lotus Domino Go Server?
- Q83 Are there any known problems with the WN Server?
- Macintosh Servers
- Q84 Are there any known problems with WebStar?
- Q85 Are there any known problems with MacHTTP?
- Q86 Are there any known problems with Quid Pro Quo?
- Other Servers
- Q87 Are there any known problems with Novell WebServer?
- Bibliography
I welcome bug reports, updates, reports about broken links, comments
and outright disagreements. Please send your comments to lstein@cshl.org. Please make sure
that you are referring to the most recent version of the FAQ
(maintained at http://www.w3.org/Security/Faq/);
someone else might have caught the problem before you.
Please understand that I maintain the FAQ on a purely voluntary basis,
and that I may fall behind on making updates when other
responsibilities intrude. You can help me out by making an attempt to
identify replacement links when reporting a broken one, and by
suggesting appropriate rewording when you have found an error in the
text. Suggestions for new questions and answers are welcomed,
particularly if you are willing to contribute the text yourself. ;-)
Lincoln D. Stein
(lstein@cshl.org)
Last modified: Mon Sep 13 14:09:45 EDT 1999