Next: Web access authorization Up: Security Previous: Defensive measures

Web-specific security issues

The Web is an inherently open system. It derives most of its utility and popularity from its openness, but this means that it is open not only to useful and cooperative elements, but also to abuse. The very fact that a Web server is connected to the Internet, and is well publicized, increases the risk of attracting unwanted attention to the system on which it runs.

Although the Web servers themselves are quite well-protected against attack, the use of CGI scripts opens up a huge security hole. Examine CGI scripts regularly, if you decide to allow them at all.

Local users' private Web pages may inadvertently provide a way in to an otherwise well-protected system. If it is decided to allow these, they need to be carefully monitored. Certainly allowing users' CGI scripts to be executed is generally inadvisable. A Web server system can of course be configured so as not to permit user logins, which will make it more secure, although if this is done the server cannot provide user pages so easily.

The access authorization mechanisms provided by many servers permit the restriction of access to sets of resources. These are discussed in Section . Web servers produce log files, and these should be examined regularly for signs of suspicious activity, such as multiple requests coming in from a particular user who might be trying to access restricted data.

Spinning the Web by Andrew Ford
© 1995 International Thomson Publishing
© 2002 Andrew Ford and Ford & Mason Ltd
Note: this HTML document was generated in December 1994 directly from the LaTeX source files using LaTeX2HTML. It was formatted into our standard page layout using the Template Toolkit. The document is mainly of historical interest as obviously many of the sites mentioned have long since disappeared.