Hello, As I mentioned earlier this week, I would like to try to improve the layout of the security docs. I'd really like feedback from people on this list as to how in-depth the documents should go. As an example, should we explain how to set permissions for optimal security in an Apache root directory?
There is also the problem of duplication. If we are going to discuss Server Side Includes we obviously have to mention mod_include, but should we also discuss access control using mod_access, or is that too much overlap? Finally, I would really like to see, at least links if not brief descriptions of Apache security exploits. I know that information is available on the site, but I would assume people would go to the security section to get that information as well. I propose to start small, building on what is already at: http://httpd.apache.org/docs/misc/security_tips.html Then branch out. The first iteration of this project would look something like this: Security Tips - General Configuration Tips - CGI - Server Side Includes - htaccess - Special Issues Relating to Virtual Hosting - Security tips for Windows (I'd need some help with this) - Security Bulletins General configuration tips would include things like not activating modules you are not going to use, setting up a directory structure, limiting directives to those that are going to be used, etc. CGI tips would include the tips already given, plus additional tips, like limiting where a CGI script can be accessed from, etc. SSI needs to include ways in which an administrator can limit SSI without taking away the functionality all together. It should also include ways to make SSI scripts safer. Like SSI the htaccess section should discuss ways to limit the directive so that users can take advantage of it, without compromising the system. There are a lot of special issues related to Virtual Hosting...I don't think this section is the place to fully cover them. I would like to highlight some of the biggest issues, and maybe include some pointers to off-site areas. Not sure what special issues are related to Microsoft Windows and Apache, but I would imagine simply the different nature of the file systems, etc, would create some differences in security precautions. If I am wrong, please let me know. I'd really like feedback from everyone as to whether or not this is a good start...or if there should be more information included? Thanks! allan -- allan [EMAIL PROTECTED] http://www.allan.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
