The WWW Security FAQ
The World Wide Web Security FAQ Lincoln D. Stein
Version 2.0.1, March 24, 2000
This information is provided by Lincoln Stein ( email@example.com).
The World Wide Web Consortium (W3C) hosts this document as a service to
the Web Community; however, it does not endorse its contents. For further
information, please contact Lincoln Stein directly.
New information on distributed denial of service attacks.
See Q88 through Q101 for details.
Do your part to keep the WWW Security FAQ up to date. See
for submitting corrections and updates.
The master copy of this document can be found at http://www.w3.org/Security/Faq/.
See this page for a listing of
mirror sites or if you are interested in becoming a mirror site yourself.
Q1 What's to worry about?
Q2 Exactly what security risks are we talking
Q3 Are some Web servers and operating systems
more secure than others?
Q4 Are some Web server software programs more
secure than others?
Q5 Are CGI scripts insecure?
Q6 Are server-side includes insecure?
Q7 What general security precautions should
Q8 Where can I learn more about network security?
Running a Secure Server
Q9 How do I set the file permissions of my
server and document roots?
Q10 I'm running a server that provides a
whole bunch of optional features. Are any of them security risks?
Q11 I heard that running the server as "root"
is a bad idea. Is this true?
Q12 I want to share the same document tree
between my ftp and Web servers. Is there any problem with this idea?
Q13 Can I make my site completely safe by
running the server in a "chroot" environment?
Q14 My local network runs behind a firewall.
How can I use it to increase my Web site's security?
Q15 My local network runs behind a firewall.
How can I get around it to give the rest of the world access to the Web
Q16 How can I detect if my site's been broken
Protecting Confidential Documents at Your Site
Q17 What types of access restrictions are
Q18 How safe is restriction by IP address
or domain name?
Q19 How safe is restriction by user name
Q20 What is user verification?
Q21 How do I restrict access to documents
by the IP address or domain name of the remote browser?
Q22 How do I add new users and passwords?
Q23 Isn't there a CGI script to allow users
to change their passwords online?
Q24 Using .htaccess to control access
in individual directories is so convenient, why should I use access.conf?
Q25 How does encryption work?
Q26 What are: SSL, SHTTP, Shen?
Q27 Are there any "freeware" secure servers?
Q28 Can I use Personal Certificates to Control
Q29 How do I accept credit card orders over
Q30 What are: CyberCash, SET, Open Market?
Q31 What's the problem with CGI scripts?
Q32 Is it better to store scripts in the
cgi-bin directory or to identify them using the .cgi extension?
Q33 Are compiled languages such as C safer
than interpreted languages like Perl and shell scripts?
Q34 I found a great CGI script on the Web
and I want to install it. How can I tell if it's safe?
Q35 What CGI scripts are known to contain
Q36 I'm developing custom CGI scripts. What
unsafe practices should I avoid?
Q37 But if I avoid eval(), exec(), popen()
and system(), how can I create an interface to my database/search engine/graphics
Q38 Is it safe to rely on the PATH environment
variable to locate external programs?
Q39 I hear there's a package called cgiwrap
that makes CGI scripts safe?
Q40 People can only use scripts if they're
accessed from a form that lives on my local system, right?
Q41 Can people see or change the values in
"hidden" form variables?
Q42 Is using the "POST" method for submitting
forms more private than "GET"?
Q43 Where can I learn more about safe CGI
Safe Scripting in Perl
Q44 How do I avoid passing user variables
through a shell when calling exec() and system()?
Q45 What are Perl taint checks? How do I
turn them on?
Q46 OK, I turned on taint checks like you
said. Now my script dies with the message: "Insecure path at line XX"
time I try to run it!
Q47 How do I "untaint" a variable?
Q48 I'm removing shell metacharacters from
the variable, but Perl still thinks it's tainted!
Q49 Is it true that the pattern matching
operation $foo=~/$user_variable/ is unsafe?
Q50 My CGI script needs more privileges than
it's getting as user "nobody". How do I run a Perl script as suid?
Server Logs and Privacy
Q51 What information do readers reveal that
they might want to keep private?
Q52 Do I need to respect my readers' privacy?
Q53 How do I avoid collecting too much information?
Q54 How do I protect my readers' privacy?
Client Side Security
Q55 Can I be attacked just by opening an
Q56 Someone suggested I configure /bin/csh
as a viewer for documents of type application/x-csh. Is this a good idea?
Q57 Is there anything else I should keep
in mind regarding external viewers?
Q58 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I worry
Q59 How secure is the encryption used by
Q60 When I try to view a secure page, the
browser complains that the site certificate doesn't match the server and
asks me if I wish to continue. Should I?
Q61 When I try to view a secure page, the
browser complains that it doesn't recognize the authority that signed its
certificate and asks me if I want to continue. Should I?
Q61 How private are my requests for Web documents?
Q62 What's the difference between Java and
Q63 Are there any known security holes in
Q64 Are there any known security holes in
Q65 What is ActiveX? Does it pose any risks?
Q66 Do "Cookies" Pose any Security Risks?
Q67 I hear there's an e-mail message making
the rounds that can trash my hard disk when I open it. Is this true?
Q68 Can one Web site hijack another's content?
Q69 Can my web browser reveal my LAN login
name and password?
Q70 Are there any known problems with Microsoft
Q71 Are there any known problems with Netscape
Q72 Are there any known problems with Lynx
Windows NT Servers
Q73 Are there any known problems with the
Q74 Are there any known problems with the
Q75 Are there any known problems with Purveyor?
Q76 Are there any known problems with Microsoft
Q77Are there any known security problems
with Sun Microsystem's JavaWebServer?
Q78Are there any known security problems
with the MetaInfo MetaWeb Server?
Q79 Are there any known problems with NCSA
Q80 Are there any known problems with Apache
Q81 Are there any known problems with the
Q82 Are there any known problems with the
Lotus Domino Go Server?
Q83 Are there any known problems with the
Q84 Are there any known problems with WebStar?
Q85 Are there any known problems with MacHTTP?
Q86 Are there any known problems with Quid
Q87 Are there any known problems with Novell
Denial of Service
Q88 What is a Denial of Service attack?
Q89 What is a Distributed Denial of Service
Q90 How is a DDoS executed against a website?
Q91 Is there a quick and easy way to secure
against a DDoS attack?
Q92 Can the U.S. Government make a difference?
Q93 How do I check my servers to see if they
are active DDoS hosts?
Q94 What should I do if I find a DDoS host
program on my server?
Q95 How can I prevent my servers from being
used as DDoS hosts in the future?
Q96 How can I prevent my personal computer
from being used as a DDoS host?
Q97 What is a "smurf attack" and how do I
defend against it?
Q98 What is "trinoo" and how do I defend
Q99 What are "Tribal Flood Network" and "TFN2K"
and how do I defend against them?
Q100 What is "stacheldraht" and how do I
defend against it?
Q101 How should I configure my routers,
firewalls, and intrusion detection systems against DDoS attacks?
I welcome bug reports, updates, reports about broken links, comments and
outright disagreements. Please send your comments to Corrections and Updates firstname.lastname@example.org.
Please make sure that you are referring to the most recent version of the
FAQ (maintained at http://www.w3.org/Security/Faq/);
someone else might have caught the problem before you.
Please understand that I maintain the FAQ on a purely voluntary basis,
and that I may fall behind on making updates when other responsibilities
intrude. You can help me out by making an attempt to identify replacement
links when reporting a broken one, and by suggesting appropriate rewording
when you have found an error in the text. Suggestions for new questions
and answers are welcomed, particularly if you are willing to contribute
the text yourself. ;-)
Lincoln D. Stein ( email@example.com)
Last modified: Fri Mar 24 16:18:13 EST 2000