4 Web server security
This chapter covers
- The importance of validating inputs sent to a web server
- How escaping control characters in output can defuse many attacks on a web server
- The correct HTTP methods to use when fetching and editing resources on a web server
- How using multiple overlapping layers of defense can help keep your web server secure
- How restricting permissions in the web server can help protect your application
In Chapter 2 we dealt with security in the browser. In this chapter we will look at the other end of the HTTP conversation: the web server. Web servers are notionally simpler than browsers—they are, essentially, machines for reading HTTP requests and writing HTTP responses—but they are also a far more common target for hackers. A hacker can target code in a browser only indirectly, by building malicious websites or finding ways to inject JavaScript into existing ones. Web servers, on the other hand, are directly accessible to anyone with an internet connection and a desire to cause trouble.
Validating input
Securing a web server starts at the server boundaries. Most attempts to attack your web server arrive as maliciously crafted HTTP requests, sent from scripts or bots, probing your server for vulnerabilities. Protecting yourself against these threats should be a priority. Such attacks can be mitigated by validating HTTP requests as they arrive and rejecting any that look suspicious. Let's look at a few methods of doing this.