httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Allan Liska <>
Subject Proposal for Improviing the Security Docs
Date Sun, 16 Sep 2001 19:14:50 GMT

  As I mentioned earlier this week, I would like to try to improve the
  layout of the security docs.  I'd really like feedback from people
  on this list as to how in-depth the documents should go.  As an
  example, should we explain how to set permissions for optimal
  security in an Apache root directory?

  There is also the problem of duplication.  If we are going to
  discuss Server Side Includes we obviously have to mention
  mod_include, but should we also discuss access control using
  mod_access, or is that too much overlap?

  Finally, I would really like to see, at least links if not brief
  descriptions of Apache security exploits.  I know that information
  is available on the site, but I would assume people would go to the
  security section to get that information as well.
  I propose to start small, building on what is already at:

  Then branch out.  The first iteration of this project would look
  something like this:

  Security Tips
        - General Configuration Tips
        - CGI
        - Server Side Includes
        - htaccess
        - Special Issues Relating to Virtual Hosting
        - Security tips for Windows (I'd need some help with this)
        - Security Bulletins

  General configuration tips would include things like not
  activating modules you are not going to use, setting up a directory
  structure, limiting directives to those that are going to be used,

  CGI tips would include the tips already given, plus additional tips,
  like limiting where a CGI script can be accessed from, etc.

  SSI needs to include ways in which an administrator can limit SSI
  without taking away the functionality all together.  It should also
  include ways to make SSI scripts safer.

  Like SSI the htaccess section should discuss ways to limit the
  directive so that users can take advantage of it, without
  compromising the system.

  There are a lot of special issues related to Virtual Hosting...I
  don't think this section is the place to fully cover them.  I
  would like to highlight some of the biggest issues, and maybe
  include some pointers to off-site areas.

  Not sure what special issues are related to Microsoft Windows and
  Apache, but I would imagine simply the different nature of the file
  systems, etc, would create some differences in security
  precautions.  If I am wrong, please let me know.

  I'd really like feedback from everyone as to whether or not this is
  a good start...or if there should be more information included?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message