Securing your server (the machine and OS)

• http://www.enteract.com/~lspitz/pubs.html (several papers on securing your OS --StephanDiehl?)
• WhichOperatingSystem

Securing your web server (Apache, IIS, etc.)

• http://httpd.apache.org/docs/misc/security_tips.html
• http://www.bignosebird.com/apache/a11.shtml

Securing your installation of Webware

• Open Webware/WebKit/Application.config with a text editor and change the 'AdminPassword?'. (or remove the Admin context completely.)

Securing your Webware application

• If your app requires client authentication, read Dos and Don’ts of Client Authentication on the Web to avoid many common web authentication pitfalls.

The two things I love most about this system are: 1) it's simple, and 2) it doesn't require sessions (server state). -- TerrelShumway - 10 July 2004

You might also consider:

• periodically reseeding python's random number generator from a strong source (such as /dev/random or EGD),

• binding session Ids to client IP addresses (though this may annoy mobile DHCP sessions),

• after successful name+password authentication in an SSL session, drop the old session and generate a new one. Set the "secure" flag in the associated _SID_ cookie sent to the client, to reduce the risk of eavesdropping. -- KenLalonde? - 28 Nov 2001

• URLSessionIDSecurity -- security concerns if you put the

  session ID in the URL (via GET variable or path)

General notes and links

• http://www.w3.org/Security/
• http://www.w3.org/Security/Faq/
• http://www.yourwindow.to/information-security/ (security glossary)
• http://www.counterpane.com/crypto-gram.html (monthly security newsletter by Bruce Schneier --StephanDiehl?)

-- TavisRudd? - 22 Nov 2001 -- ChuckEsterbrook - 10 Dec 2001