| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289 |
- <!DOCTYPE html>
- <html lang="en">
- <head>
- <title>Security</title>
- <!-- Copyright Embedthis Software. All Rights Reserved. -->
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <meta charset="utf-8" />
- <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
- <meta name="description" content="Simple, fast, secure embedded web server" />
- <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,700|Open+Sans:300italic,400,300,700'
- rel='stylesheet' type='text/css'>
- <link href='https://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
-
- <link href="../images/favicon.ico" rel="shortcut icon" />
- <link href="../lib/semantic-ui/semantic.min.css" rel="stylesheet" type="text/css" />
- <link href="../css/all.min.css" rel="stylesheet" type="text/css" />
- <link href="../css/api.min.css" rel="stylesheet" type="text/css" />
-
- </head>
- <body class="show-sidebar">
- <div class="sidebar">
- <div class="ui large left vertical inverted labeled menu">
- <div class="item">
- <a href="../" class="logo">GoAhead Docs</a>
- </div>
- <div class="item">
- <a href="../">
- <b>General</b>
- </a>
- <div class="menu">
- <a class="item" href="../">GoAhead Overview</a>
- <a class="item" href="../users/features.html">GoAhead Features</a>
- <a class="item" href="https://embedthis.com/goahead/download.html">Download</a>
- <a class="item" href="../licensing/">Licensing</a>
- </div>
- </div>
- <div class="item">
- <a href="../start/">
- <b>Getting Started</b>
- </a>
- <div class="menu">
- <a class="item" href="../start/quick.html">Quick Start</a>
- <a class="item" href="../start/installing.html">Installing GoAhead</a>
- <a class="item" href="../start/running.html">Running GoAhead</a>
- <a class="item" href="../start/releaseNotes.html">Release Notes</a>
- <a class="item" href="../start/faq.html">GoAhead FAQ</a>
- <a class="item" href="../start/source.html">Building from Source</a>
- </div>
- </div>
- <div class="item">
- <a href="../users/"><b>User's Guide</b></a>
- <div class="menu">
- <a class="item" href="../users/ports.html">Ports and Binding</a>
- <a class="item" href="../users/routing.html">Routing Requests</a>
- <a class="item" href="../users/handlers.html">Request Handlers</a>
- <a class="item" href="../users/js.html">Embedded Javascript</a>
- <a class="item" href="../users/jst.html">Javascript Templates</a>
- <a class="item" href="../users/goactions.html">GoActions</a>
- <a class="item" href="../users/cgi.html">CGI Programs</a>
- <a class="item" href="../users/authentication.html">User Authentication</a>
- <a class="item" href="../users/logFiles.html">Log Files</a>
- <a class="item" href="../users/ssl.html">Secure Sockets (SSL)</a>
- <a class="item" href="../users/security.html">Security Considerations</a>
- <a class="item" href="../users/man.html">Man Pages</a>
- </div>
- </div>
- <div class="item">
- <a href="../developers/">Developer's Guide</a>
- <div class="menu">
- <a class="item" href="../developers/embedding.html">Embedding GoAhead</a>
- <a class="item" href="../developers/handlers.html">Creating GoAhead Handlers</a>
- <a class="item" href="../developers/authstore.html">Creating Password Verifiers</a>
- <a class="item" href="../developers/migrating.html">Migrating to GoAhead 3</a>
- <a class="item" href="../developers/rom.html">Serving Pages from ROM</a>
- </div>
- </div>
- <div class="item">
- <a href="../ref/">Reference Guide</a>
- <div class="menu">
- <a class="item" href="../ref/compatibility.html">Compatibility</a>
- <a class="item" href="../ref/native.html">API Library</a>
- <a class="item" href="../ref/architecture.html">GoAhead Architecture</a>
- <a class="item" href="../standards/http.html">HTTP References</a>
- </div>
- </div>
- <div class="item">
- <a href="../developers/project.html">Project Resources</a>
- <div class="menu">
- <a class="item" href="http://goo.gl/IGbiio">Official GoAhead News</a>
- <a class="item" href="https://embedthis.com/goahead/">GoAhead Web Site</a>
- <a class="item" href="https://github.com/embedthis/goahead">Source Code Repository</a>
- <a class="item" href="https://github.com/embedthis/goahead/issues/99">GoAhead Security Alerts</a>
- <a class="item" href="https://github.com/embedthis/goahead/issues">Project Issue Database</a>
- <a class="item" href="https://github.com/embedthis/goahead/releases">Change Log</a>
- <a class="item" href="https://github.com/embedthis/goahead/milestones">Roadmap</a>
- <a class="item" href="https://embedthis.com/developers/contributors.html">Contributors Agreement</a>
- </div>
- </div>
- <div class="item">
- <b>Links</b>
- <div class="menu">
- <a class="item" href="https://embedthis.com/">Embedthis Web Site</a>
- <a class="item" href="https://embedthis.com/blog/">Embedthis Blog</a>
- <a class="item" href="http://twitter.com/embedthat">Twitter</a>
- </div>
- </div>
- </div>
- </div>
- <div class="ui inverted masthead">
- <div class="ui fixed inverted menu">
- <div class="ui sidebar-launch button">
- <i class="icon list layout"></i>
- </div>
- <div class="right menu">
- <a class="item" href="https://embedthis.com/">Embedthis</a>
- <a class="item" href="https://embedthis.com/goahead/">GoAhead Site</a>
- <span class="desktop-only">
- <a class="item" href="http://goo.gl/9bL9rM">GoAhead News</a>
- <a class="item" href="https://github.com/embedthis/goahead">Repository</a>
- <a class="item" href="https://embedthis.com/blog/">Blog</a>
- <a class="item" href="https://twitter.com/embedthat">Twitter</a>
- </span>
- </div>
- </div>
-
- <div class="ui breadcrumb">
- <a class="section" href="../">Home</a>
-
- <div class="divider">/</div>
- <a class="section" href="../users/">
- User's Guide
- </a>
-
-
- <div class="divider">/</div>
- <a class="active section" href="security.html">Security</a>
-
- </div>
-
- <iframe class="version desktop-only" src="../version.html"></iframe>
- </div>
- <div class="content">
- <h1>Security Considerations</h1>
- <p>Securing applications that are accessible to the Internet is not a trivial task. This page outlines some
- of the issues, and offers tips to help you secure your application using the Embedthis GoAhead
- product.</p><a id="updates"></a>
- <h2 >Updates</h2>
- <p>Even the best application or HTTP server can experience some security vulnerabilities that are
- discovered after being deployed in the field. It is highly recommended that you stay up to date with the
- latest version of GoAhead.</p>
- <p><a href="http://www.embedthis.com/">Embedthis</a> offers a Security Enhancement Service as part of an
- GoAhead commercial license that will proactively notify you of any security flaws and will expedite fixes or
- workarounds to minimize the vulnerability.</p>
-
- <a id="account"></a>
- <h2 >GoAhead User Account</h2>
- <p>It is important that you run GoAhead with the lowest system privilege that will get the job done. If any
- application is compromised, including GoAhead, then the system will be safest if the compromised application
- has as few privileges as possible.</p>
- <a id="directoryPermissions"></a>
- <h2 >Directory and File Permissions</h2>
- <p>This section explains the policy should you need to move or modify files and directories.</p>
- <p>To enhance security you need to consider the directory and file permissions for three classes of
- content:</p>
- <ul>
- <li>Pages served by the HTTP server</li>
- <li>Scripts run by the HTTP server</li>
- <li>Configuration and log files used by the HTTP server.</li>
- </ul>
- <p>Pages served by the GoAhead server should be owned by root or administrator and should only be readable
- by the GoAhead user account. Directories containing served pages should be readable and executable only.</p>
- <p>Scripts run by the GoAhead server should always be outside all directories containing served pages. After
- all, you don't want prying eyes viewing your scripts! Scripts should be owned by the <b>root</b> or
- <b>administrator</b> and should only be readable and executable by the GoAhead user account.</p>
- <p>Configuration and log files used by the GoAhead server should always be outside all directories
- containing served pages or scripts. The directory containing the log files must be writable by the GoAhead
- user account.</p>
- <h3>Home Permissions</h3>
- <p>The home directory in which GoAhead executes should be owned by <b>root</b> or administrator, and should be
- in the group <b>root</b> or administrators. They should only be writable by this specific user and group.</p>
-
- <a id="authentication"></a>
- <h2 >Authentication</h2>
- <p>It is highly recommended that you use Form-based <a href="authentication.html#formAuthentication">Form</a>
- authentication and not Basic authentication. As implemented in GoAhead, Form authentication over SSL
- provides many safeguards against known exploits including; man-in-the-middle attacks, client spoofing,
- and replay attacks.</p>
-
- <a id="sandBoxing"></a>
- <h2 >Sandboxing</h2>
- <p>Sandboxing is the term applied to running GoAhead in a confined environment. When embedding a HTTP server
- in an application, the profile of client access is often well known. This profile includes the rate of
- accesses, the length of URLs and the size of pages returned to the user.</p>
- <p>GoAhead has a set of build time configuration options that allow you to define a sandbox which specifies how
- GoAhead must be used for a request to be serviced. By using well defined sandbox directives, you can help
- ensure that your application will not be compromised by malicious requests.</p>
- <h3>Limit Directives</h3>
- <p>The limit directives are defined in main.me which is used by <i>MakeMe</i> when configuring GoAhead
- and generating the <i>bit.h</i> header that is included by GoAhead source code.</p>
- <table title="sandbox" class="ui table segment">
- <thead>
- <tr>
- <th>Directive</th><th>Purpose</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td class="pivot">limitBuffer</td>
- <td>General I/O buffer size</td>
- </tr>
- <tr>
- <td class="pivot">limitFilename</td>
- <td>Maximum filename size</td>
- </tr>
- <tr>
- <td class="pivot">limitHeader</td>
- <td>Maximum size of the request header</td>
- </tr>
- <tr>
- <td class="pivot">limitNumHeaders</td>
- <td>Maximum number of header lines in the request</td>
- </tr>
- <tr>
- <td class="pivot">limitParseTimeout</td>
- <td>Maximum time to parse the request headers</td>
- </tr>
- <tr>
- <td class="pivot">limitPassword</td>
- <td>Maximum size of a password</td>
- </tr>
- <tr>
- <td class="pivot">limitPost</td>
- <td>Maximum size of the incoming POST request body</td>
- </tr>
- <tr>
- <td class="pivot">limitPut</td>
- <td>Maximum size of the incoming PUT request body</td>
- </tr>
- <tr>
- <td class="pivot">limitSessionLife</td>
- <td>Default session lifespan in seconds</td>
- </tr>
- <tr>
- <td class="pivot">limitSessionCount</td>
- <td>Maximum number of sessions</td>
- </tr>
- <tr>
- <td class="pivot">limitString</td>
- <td>Default string size</td>
- </tr>
- <tr>
- <td class="pivot">limitTimeout</td>
- <td>Request inactivity timeout in seconds</td>
- </tr>
- <tr>
- <td class="pivot">limitUri</td>
- <td>Maximum URI size</td>
- </tr>
- <tr>
- <td class="pivot">limitUpload</td>
- <td>Maximum size of a file upload request</td>
- </tr>
- </tbody>
- </table>
- </div>
- <div class="terms ui basic center aligned segment">
- <p>© Embedthis Software, 2003-2015. All rights reserved.</p>
- </div>
- <script src="../lib/jquery/jquery.min.js"></script>
- <script src="../lib/semantic-ui/semantic.min.js"></script>
- <script src="../scripts/sidebar.min.js"></script>
-
-
- </body>
- </html>
|
