Web Security
When your site holds any sort of value it's worth protecting.
Tip #1 - Shut Off Directory Indexing. Unless you are running a web site for the sole purpose of serving out files for download, shut off directory indexing. You do not want someone hitting an empty directory on your site, or a folder without a default index file and seeing a full list of files in that folder. Directory Indexing can exploit files you did not want publicly available or easily discovered on a web site.
Tip #2 - Run HTTPS if your website has content of any type that has sensitive information. I can't believe I still run across websites that ask for username and password and are still http instead of https. Most people use the same usernames and passwords frequently, so if you run a site that collects usernames and passwords and you are not running https, you can compromise that user's name/password not only for your site but their other sites as well. I won't even use a site for login, credit card info, or any type of home address, personal info unless it is secured by SSL certificate.
Tip #3 - If you run SSL Certificate, don't let it expire. Keep track of your SSL certificate, nothing is more annoying than when a major company lets its SSL certificate expire. It looks so unprofessional and makes you wonder what other information they aren't properly keeping track of?
Tip #4 - Keep your Directory-Root or Context Root somewhere isolated with no vulnerable sub folders. A web server generally allows access to anything from Document Root and below, so make sure you isolate your document root to an isolated folder or drive with nothing of value in any sub folders below it unless you don't mind those resources exposed to the web server.
Tip #5 - Shut off all non-essential listen ports on your web site Shut down telnet, ftp, finger, and any ports you are running that aren't absolutely essential. Do a netstat -an | grep -i "listen" on unix, or netstat -an | find "LISTEN" on windows to find what ports your web server is listening on and try to shut it down. Those are some beginner tips that I have for this post. I will follow up with future posts with some additional techniques and basic tips.
Tip #3 - If you run SSL Certificate, don't let it expire. Keep track of your SSL certificate, nothing is more annoying than when a major company lets its SSL certificate expire. It looks so unprofessional and makes you wonder what other information they aren't properly keeping track of?
Tip #4 - Keep your Directory-Root or Context Root somewhere isolated with no vulnerable sub folders. A web server generally allows access to anything from Document Root and below, so make sure you isolate your document root to an isolated folder or drive with nothing of value in any sub folders below it unless you don't mind those resources exposed to the web server.
Tip #5 - Shut off all non-essential listen ports on your web site Shut down telnet, ftp, finger, and any ports you are running that aren't absolutely essential. Do a netstat -an | grep -i "listen" on unix, or netstat -an | find "LISTEN" on windows to find what ports your web server is listening on and try to shut it down. Those are some beginner tips that I have for this post. I will follow up with future posts with some additional techniques and basic tips.
Comments (0)