Guidelines on Securing Public Web Servers


    


E mail address 


    


Mailing address 


    


Telephone number 


    


SSN 


    


Financial information. 


Federal agencies and many state agencies are also restricted in their ability to use Web browser 


 cookies  [OMB00a, OMB00b, OMB00c, and MASS99].  A cookie is a small piece of 


information that may be written to a user's hard drive when a Web site is visited.  There are 


two principal types of cookies.   


Those that cause the most concern are called  persistent  cookies.  These cookies can be used 


to track activities of users over time and across different Web sites.  The most common use of 


persistent cookies is to retain and correlate information about users between sessions.  Federal 


agencies and many state agencies are generally prohibited from using persistent cookies on 


publicly accessible Web sites.   


 Session  cookies are valid for a single session (visit) to a Web site.  These cookies expire at 


the end of the session or within a limited time frame.  Because these cookies cannot be used to 


track personal information, they are generally not subject to the prohibition that applies to 


persistent cookies.  However, their use must be clearly stated and defined in the Web site's 


privacy statement.   


6.3  Securing Active Content and Content Generation Technologies 


In the early days of the WWW, most sites presented textual static information based on the 


American Standard Code of Information Interchange (ASCII).  No interactivity existed 


between the user and Web site beyond the user clicking on hyperlinks.  Soon thereafter, 


interactive elements were introduced that offered users new ways to interact with the Web site.  


Unfortunately, these interactive elements introduced a raft of new Web related 


vulnerabilities.


22


   


Active content refers to interactive elements processed at the client (Web browser).  If not 


implemented correctly, active content can present a serious threat to the end user.  For 


example, active content can take actions without the express permission of the user.  A variety 


of active content technologies exist.  Some of the more popular examples include: ActiveX, 


Java, VBScript, and JavaScript.  Organizations considering the deployment of client side 


active content should carefully consider the risks to their users, as the use of active content 


often requires the user to reduce the security settings on their Web browser.   


Content generators are implemented on the server and thus represent a threat to the Web server 


itself.  The danger in content generators is that they may accept input from users and can take 


actions on the Web server.  If the content generator has not been programmed correctly, an 


                                                   


22


 For more extensive guidelines on active content, please see NIST Special Publication 800 28, 


Guidelines on Active 


Content and Mobile Code


 (


http://csrc.nist.gov/publications/nistpubs/index.html


).   


40






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Web Hosting SSH



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved