Guidelines on Securing Public Web Servers

Client security is well integrated with Web server and host operating system 

authentication services.  

ASP does not support security policy enforcement so there is no method for the 

content developer or administrator to constrain privileges.   

Relatively immune to buffer overflows. 

Often uses Component Object Model (COM) objects which may have weak security 

Well documented and mature technology. 

Java Servlets

   Servlets are based on Java technology (see Section 6.3.1) and are a type of 

server side applet.  The Web server first determines whether the browser's request requires 

dynamically generated information from a servlet.  If so, the Web server can then locate or 

instantiate a servlet object corresponding to the request (e.g., by uploading the code from 

another server) and invoke it to obtain the needed results.  The Web server typically populates 

itself with the servlet objects, which remain active until invoked.  Thus, no startup overhead is 

associated with execution of the servlet objects.  A Web server may also offload the handling 

of servlets to another server.  By relying on Java portability and observing a common 

applications program interface, servlet objects can run in nearly any server environment.  

Servlets support an object oriented environment on the Web server, which is flexible and 

extendible.  Moreover, untrusted servlet objects can be executed in a secure area, with the 

dynamically generated information being passed from the secure area into the remaining server 

environment [NIST01a]. 

Some issues to consider when contemplating the deployment of Java Servlets [Zir02]: 

Tightly integrated with host operating system security and Web server authentication 

for strong security. 

Facilitates secure programming: 

Leverages security of Java language 

Strong security model supporting constraints by developers and server 

administrators 

Secure error handling 

Well documented and mature technology. 

PHP (Hypertext Preprocessor)

   PHP is a scripting language used to create dynamic Web 

pages.  With syntax from C, Java, and Perl, PHP code is embedded within HTML pages for 

server side execution.  PHP is commonly used to extract data from a database and present it on 

the Web page.  Most major NT and Unix Web servers support the language, and it is widely 

used with the mySQL database [NIST01a].  Some issues to consider when contemplating the 

deployment of PHP: 

Old versions of PHP have numerous security vulnerabilities, upgrade to latest version. 

46