The World Wide Web Security FAQ
Lincoln D. Stein
Version 1.3.0, November 8 1996
MIRROR SITES FOR THIS DOCUMENT
The master copy of this document can be found at:
You may mirror this document by copying and unpacking the following
You should then set up a cron job to check this site at
regular intervals and update your copy. You can use the w3mir program for
this purpose. Please let me know when you've set up a mirror site so
that I may add you to this list.
- What's New?
- General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems
more secure than others?
- Q4 Are some Web server software programs more
secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
- Running a Secure Server
- Q9 How do I set the file permissions of my server
and document roots?
- Q10 I'm running a server that provides a whole
bunch of optional features. Are any of them security risks?
- Q11 I heard that running the server as "root"
is a bad idea. Is this true?
- Q12 I want to share the same document tree between my
ftp and Web servers. Is there any problem with this idea?
- Q13 Can I make my site completely safe by running
the server in a "chroot" environment?
- Q14 My local network runs behind a firewall. How can I
use it to increase my Web site's security?
- Q15 My local network runs behind a firewall. How can
I get around it to give the rest of the world access to the
- Q16 How can I detect if my site's been broken into?
- Protecting Confidential Documents at Your Site
- Q17 What types of access restrictions are
- Q18 How safe is restriction by IP address or domain name?
- Q19 How safe is restriction by user name and password?
- Q20 What is user verification?
- Q21 How do I restrict access to documents by the
IP address or domain name of the remote browser?
- Q22 How do I add new users and passwords?
- Q23 Isn't there a CGI script to allow users to
change their passwords online?
- Q24 Using
.htaccess to control
o access in individual directories is so convenient, why
should I use
- Q25 How does encryption work?
- Q26 What are: SSL, SHTTP, Shen?
- Q27 Are there any "freeware" secure servers?
- Q28 How do I accept credit card orders over the Web?
- Q29 What are: First Virtual Accounts, DigiCash,
- CGI Scripts
- Q30 What's the problem with CGI scripts?
- Q31 Is it better to store scripts in the cgi-bin
directory or to identify them using the .cgi extension?
- Q32 Are compiled languages such as C safer than
interpreted languages like Perl and shell scripts?
- Q33 I found a great CGI script on the Web and I
want to install it. How can I tell if it's safe?
- Q34 What CGI scripts are known to contain security
- Q35 I'm developing custom CGI scripts. What unsafe
practices should I avoid?
- Q36 But if I avoid eval(), exec(), popen() and system(),
how can I create an interface to my database/search engine/graphics
- Q37 Is it safe to rely on the PATH environment variable
to locate external programs?
- Q38 I hear there's a package called cgiwrap that makes
CGI scripts safe?
- Q39 People can only use scripts if they're accessed from
a form that lives on my local system, right?
- Q40 Can people see or change the values in "hidden"
- Q41 Is using the "POST" method for submitting forms
more private than "GET"?
- Q42 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q43 How do I avoid passing user variables through
a shell when calling exec() and system()?
- Q44 What are Perl taint checks? How do I turn
- Q45 OK, I turned on taint checks like you said. Now
my script dies with the message: "Insecure path at line XX"
every time I try to run it!
- Q46 How do I "untaint" a variable?
- Q47 I'm removing shell metacharacters from the
variable, but Perl still things it's tainted!
- Q48 Is it true that the pattern matching operation
$foo=~/$user_variable/ is unsafe?
- Q49 My CGI script needs more privileges than it's
getting as user "nobody". How do I run a Perl script as suid?
- Server Logs and Privacy
- Q50 What information do readers reveal that
they might want to keep private?
- Q51 Do I need to respect my readers' privacy?
- Q52 How do I avoid collecting too much information?
- Q53 How do I protect my readers' privacy?
- Client Side Security
- Q54 Someone suggested I configure /bin/csh as a viewer for
documents of type application/x-csh. Is this a good idea?
- Q55 Is there anything else I should
keep in mind regarding external viewers?
- Q56 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I
worry about it?
- Q57 How secure is the encryption used by SSL?
- Q58 My Netscape browser is displaying a form
for ordering merchandise from a department store that I trust. The
little key at the lower left-hand corner of the Netscape window is
solid and has two teeth. This means I can safely submit my credit
card number, right?
- Q59 How private are my requests for Web documents?
- Q61 Are there any known security holes in Java?
- Q63 What is ActiveX? Does it pose any risks?
- Q64 Do "Cookies" Pose any Security Risks?
- Specific Servers
- Windows NT Servers
- Q65 Are there any known problems with the Netscape Servers?
- Q66 Are there any known problems with the WebSite Server?
- Q67 Are there any known problems with Purveyor?
- Q68 Are there any known problems with Microsoft IIS?
- Unix Servers
- Q69 Are there any known problems with NCSA httpd?
- Q70 Are there any known problems with CERN httpd?
- Q71 Are there any known problems with Apache httpd?
- Q72 Are there any known problems with the Netscape Servers?
- Q73 Are there any known problems with the IBM ICSS Server?
- Q74 Are there any known problems with the WN Server?
- Macintosh Servers
- Q75 Are there any known problems with WebStar?
- Q76 Are there any known problems with MacHTTP?
Whitehead Institute for
Last modified: Fri Nov 8 04:53:57 EST 1996