Guidelines on Securing Public Web Servers
Completed
Action
Copyrighted material without the written permission of the owner
Privacy or security policies that indicate the types of security
measures in place to the degree that they may be useful to an
attacker
Establish an organizational wide documented formal policy and
process for approving public Web content that
Identifies information that should be published on the Web
Identifies target audience
Identifies possible negative ramifications of publishing the
information
Identifies who should be responsible for creating, publishing, and
maintaining this particular information
Provides guidelines on styles and formats appropriate for Web
publishing
Provides for appropriate review the information for sensitivity and
distribution/release controls (including the sensitivity of the
information in aggregate)
Determines the appropriate access and security controls
Provides guidance on the information contained within the source
code of the Web content
Web user privacy considerations
Published privacy policy
Prohibition the collection of personally identifying data without the
explicit permission of the user
Prohibition on the use of persistent cookies
Use of session cookie, if used, is clearly identified in published
privacy policy
Client side active content security considerations
Used only when absolutely required
No actions taken without express permissions of user
No use of high risk client side active content
When possible alternatives are provided (e.g., plain text provided
along with PDF)
Server side active content security considerations
Simple easy to understand code
Limited or no reading or writing of files
Limited or no interaction with other programs (e.g., sendmail)
No requirement to run with suid privileges
Use of explicit path names (i.e., does not rely on path variable)
No directories have both write and execute permissions
All executable files are placed in a dedicated folders
50