Chapter 8. Securing Web Services

You've toiled for hours crafting your firewall rules and hardening your email and DNS services. You believe that no evil force could breach your fortress walls. But now you blast a hole straight through those walls to a port on your server. Then you let anyone in the world run programs on your server at that port, using their own input. These are signs of an unbalanced mind ? or of a web administrator.

The Web has many moving parts and is a frequent source of security problems. In this chapter, I assume that you are hosting web servers and are responsible for their security. I dwell on servers exposed to the Internet, but most of the discussion applies to intranets and extranets as well. The platform is LAMP: Linux, Apache, MySQL, PHP (and Perl). I'll talk about A, M, and P here (with no slight intended to Java, Python, or other good tools). Protect your whole web environment ? server, content, applications ? and keep the weasels out of your web house.

For other views and details on web security, see Lincoln Stein's World Wide Web Security FAQ ( and the book Web Security, Privacy and Commerce by Simson Garfinkel with Gene Spafford (O'Reilly).