The World Wide Web Security FAQ
Lincoln D. Stein
Version 1.7.0, January 19, 1998
Webmasters: The Excite Web Search engine version 1.1 contains a
security hole. See What's New.
Users: Internet Explorer 4.0 and 4.01 contains a serious
security hole. See What's New.
MIRROR SITES FOR THIS DOCUMENT
The master copy of this document can be found at:
This document is updated every 2 to 4 weeks.
Western European Mirrors
Eastern European Mirrors
You may mirror this document by copying and unpacking the following
You should then set up a cron job to check this site at
regular intervals and update your copy. You can use the w3mir program for
this purpose. Please send me e-mail if you set up a mirror site in a
country that isn't already a mirror sponsor so that I may add
you to this list (more Pacific sites needed!).
You can also download this entire document as a ZIP archive:
- What's New?
- General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems
more secure than others?
- Q4 Are some Web server software programs more
secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
- Running a Secure Server
- Q9 How do I set the file permissions of my server
and document roots?
- Q10 I'm running a server that provides a whole
bunch of optional features. Are any of them security risks?
- Q11 I heard that running the server as "root"
is a bad idea. Is this true?
- Q12 I want to share the same document tree between my
ftp and Web servers. Is there any problem with this idea?
- Q13 Can I make my site completely safe by running
the server in a "chroot" environment?
- Q14 My local network runs behind a firewall. How can I
use it to increase my Web site's security?
- Q15 My local network runs behind a firewall. How can
I get around it to give the rest of the world access to the
- Q16 How can I detect if my site's been broken into?
- Protecting Confidential Documents at Your Site
- Q17 What types of access restrictions are
- Q18 How safe is restriction by IP address or domain name?
- Q19 How safe is restriction by user name and password?
- Q20 What is user verification?
- Q21 How do I restrict access to documents by the
IP address or domain name of the remote browser?
- Q22 How do I add new users and passwords?
- Q23 Isn't there a CGI script to allow users to
change their passwords online?
- Q24 Using
.htaccess to control
access in individual directories is so convenient, why
should I use
- Q25 How does encryption work?
- Q26 What are: SSL, SHTTP, Shen?
- Q27 Are there any "freeware" secure servers?
- Q28 Can I use Personal Certificates to Control Server Access?
- Q29 How do I accept credit card orders over the Web?
- Q30 What are: First Virtual Accounts, DigiCash,
- CGI Scripts
- Q31 What's the problem with CGI scripts?
- Q32 Is it better to store scripts in the cgi-bin
directory or to identify them using the .cgi extension?
- Q33 Are compiled languages such as C safer than
interpreted languages like Perl and shell scripts?
- Q34 I found a great CGI script on the Web and I
want to install it. How can I tell if it's safe?
- Q35 What CGI scripts are known to contain security
- Q36 I'm developing custom CGI scripts. What unsafe
practices should I avoid?
- Q37 But if I avoid eval(), exec(), popen() and system(),
how can I create an interface to my database/search engine/graphics
- Q38 Is it safe to rely on the PATH environment variable
to locate external programs?
- Q39 I hear there's a package called cgiwrap that makes
CGI scripts safe?
- Q40 People can only use scripts if they're accessed from
a form that lives on my local system, right?
- Q41 Can people see or change the values in "hidden"
- Q42 Is using the "POST" method for submitting forms
more private than "GET"?
- Q43 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q44 How do I avoid passing user variables through
a shell when calling exec() and system()?
- Q45 What are Perl taint checks? How do I turn
- Q46 OK, I turned on taint checks like you said. Now
my script dies with the message: "Insecure path at line XX"
every time I try to run it!
- Q47 How do I "untaint" a variable?
- Q48 I'm removing shell metacharacters from the
variable, but Perl still thinks it's tainted!
- Q49 Is it true that the pattern matching operation
$foo=~/$user_variable/ is unsafe?
- Q50 My CGI script needs more privileges than it's
getting as user "nobody". How do I run a Perl script as suid?
- Server Logs and Privacy
- Q51 What information do readers reveal that
they might want to keep private?
- Q52 Do I need to respect my readers' privacy?
- Q53 How do I avoid collecting too much information?
- Q54 How do I protect my readers' privacy?
- Client Side Security
- Q55 Someone suggested I configure /bin/csh as a viewer for
documents of type application/x-csh. Is this a good idea?
- Q56 Is there anything else I should
keep in mind regarding external viewers?
- Q57 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I
worry about it?
- Q58 How secure is the encryption used by SSL?
- Q59 When I try to view a secure page, the
browser complains that the site certificate doesn't match the server
and asks me if I wish to continue. Should I?
- When I try to view a secure page, the browser complains that
it doesn't recognize the authority that signed its certificate and asks me if I want to
continue. Should I?
- Q61 How private are my requests for Web documents?
- Q63 Are there any known security holes in Java?
- Q65 What is ActiveX? Does it pose any risks?
- Q66 Do "Cookies" Pose any Security Risks?
- Q67 Can your web browser reveal your LAN login name and password?
- Q68 Are there any known problems in Microsoft Internet Explorer?
- Specific Servers
- Windows NT Servers
- Q69 Are there any known problems with the Netscape Servers?
- Q70 Are there any known problems with the WebSite Server?
- Q71 Are there any known problems with Purveyor?
- Q72 Are there any known problems with Microsoft IIS?
- Unix Servers
- Q73 Are there any known problems with NCSA httpd?
- Q74 Are there any known problems with CERN httpd?
- Q75 Are there any known problems with Apache httpd?
- Q76 Are there any known problems with the Netscape Servers?
- Q77 Are there any known problems with the IBM ICSS Server?
- Q78 Are there any known problems with the WN Server?
- Macintosh Servers
- Q79 Are there any known problems with WebStar?
- Q80 Are there any known problems with MacHTTP?
- Q81 Are there any known problems with Quid Pro Quo?
- Other Servers
- Q82 Are there any known problems with Novell WebServer?
Lincoln D. Stein
Last modified: Mon Jan 19 13:01:21 EST 1998