--><title>Security Tips - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
<p>Some hints and tips on security issues in setting up a web server.
Some of the suggestions will be general, others specific to Apache.</p>
- </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
+ </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="uptodate" id="uptodate">Keep up to Date</a></h2>
+
+ <p>The Apache HTTP Server has a good record for security and a
+ developer community highly concerned about security issues. But
+ it is inevitable that some problems -- small or large -- will be
+ discovered in software after it is released. For this reason, it
+ is crucial to keep aware of updates to the software. If you have
+ obtained your version of the HTTP Server directly from Apache, we
+ highly recommend you subscribe to the <a href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Server Announcements List</a> where you can keep informed of
+ new releases and security updates. Similar services are available
+ from most third-party distributors of Apache software.</p>
+
+ <p>Of course, most times that a web server is compromised, it is
+ not because of problems in the HTTP Server code. Rather, it comes
+ from problems in add-on code, CGI scripts, or the underlying
+ Operating System. You must therefore stay aware of problems and
+ updates with all the software on your system.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
<p>Allowing users to execute CGI scripts in any directory should only be
- considered if;</p>
+ considered if:</p>
<ul>
<li>You trust your users not to write scripts which will deliberately
Some of the suggestions will be general, others specific to Apache.</p>
</summary>
+ <section id="uptodate"><title>Keep up to Date</title>
+
+ <p>The Apache HTTP Server has a good record for security and a
+ developer community highly concerned about security issues. But
+ it is inevitable that some problems -- small or large -- will be
+ discovered in software after it is released. For this reason, it
+ is crucial to keep aware of updates to the software. If you have
+ obtained your version of the HTTP Server directly from Apache, we
+ highly recommend you subscribe to the <a
+ href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Server Announcements List</a> where you can keep informed of
+ new releases and security updates. Similar services are available
+ from most third-party distributors of Apache software.</p>
+
+ <p>Of course, most times that a web server is compromised, it is
+ not because of problems in the HTTP Server code. Rather, it comes
+ from problems in add-on code, CGI scripts, or the underlying
+ Operating System. You must therefore stay aware of problems and
+ updates with all the software on your system.</p>
+
+ </section>
+
<section id="serverroot">
<title>Permissions on ServerRoot Directories</title>
<title>Non Script Aliased CGI</title>
<p>Allowing users to execute CGI scripts in any directory should only be
- considered if;</p>
+ considered if:</p>
<ul>
<li>You trust your users not to write scripts which will deliberately