This page is for notes and discussion on how to secure all aspects of your Webware application. If you have links to other pages related to web-server and OS security issues please add them below. Securing your server (the machine and OS) ----------------------------------------- * http://www.enteract.com/~lspitz/pubs.html (several papers on securing your OS --StephanDiehl_) * WhichOperatingSystem_ Securing your web server (Apache, IIS, etc.) -------------------------------------------- * http://httpd.apache.org/docs/misc/security_tips.html * http://www.bignosebird.com/apache/a11.shtml Securing your installation of Webware ------------------------------------- * Open Webware/WebKit_/Application.config with a text editor and change the 'AdminPassword_'. (or remove the Admin context completely.) Securing your Webware application --------------------------------- * If your app requires client authentication, read `Dos and Don’ts of Client Authentication on the Web`_ to avoid many common web authentication pitfalls. The two things I love most about this system are: 1) it's simple, and 2) it doesn't require sessions (server state). -- TerrelShumway_ - 10 July 2004 .. _`Dos and Don’ts of Client Authentication on the Web`: http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf You might also consider: * periodically reseeding python's random number generator from a strong source (such as /dev/random or EGD), * binding session Ids to client IP addresses (though this may annoy mobile DHCP sessions), * after successful name+password authentication in an SSL session, drop the old session and generate a new one. Set the "secure" flag in the associated _SID_ cookie sent to the client, to reduce the risk of eavesdropping. -- KenLalonde_ - 28 Nov 2001 * URLSessionIDSecurity_ -- security concerns if you put the session ID in the URL (via GET variable or path) General notes and links ----------------------- * http://www.w3.org/Security/ * http://www.w3.org/Security/Faq/ * http://www.yourwindow.to/information-security/ (security glossary) * http://www.counterpane.com/crypto-gram.html (monthly security newsletter by Bruce Schneier --StephanDiehl_) -- TavisRudd_ - 22 Nov 2001 -- ChuckEsterbrook_ - 10 Dec 2001