This page is for notes and discussion on how to secure all aspects of your Webware application. If you have links to other pages related to web-server and OS security issues please add them below.
http://www.enteract.com/~lspitz/pubs.html (several papers on securing your OS --StephanDiehl)
Open Webware/WebKit/Application.config with a text editor and change the 'AdminPassword'. (or remove the Admin context completely.)
If your app requires client authentication, read Dos and Don’ts of Client Authentication on the Web to avoid many common web authentication pitfalls.
The two things I love most about this system are: 1) it's simple, and 2) it doesn't require sessions (server state). -- TerrelShumway - 10 July 2004
You might also consider:
periodically reseeding python's random number generator from a strong source (such as /dev/random or EGD),
binding session Ids to client IP addresses (though this may annoy mobile DHCP sessions),
after successful name+password authentication in an SSL session, drop the old session and generate a new one. Set the "secure" flag in the associated _SID_ cookie sent to the client, to reduce the risk of eavesdropping. -- KenLalonde - 28 Nov 2001
- URLSessionIDSecurity -- security concerns if you put the
session ID in the URL (via GET variable or path)
http://www.yourwindow.to/information-security/ (security glossary)
http://www.counterpane.com/crypto-gram.html (monthly security newsletter by Bruce Schneier --StephanDiehl)
-- TavisRudd - 22 Nov 2001 -- ChuckEsterbrook - 10 Dec 2001