Posted by johnm
 on December 6, 2005 at 12:07 PM PST
Why is web server security so much of an afterthought?
Pete Freitag writes up 20 ways to Secure your Apache Configuration . Now, all 20 tips are useful to help make Apache less insecure but they certainly don't make an Apache installation actually "secure."
First off, note clearly how many things you have to go out of your way to turn off. That is, look at all of the extraneous, insecure junk that is installed and configured as part of a default Apache setup up. That's a big violation of the security dictum that we should be secure by default and have to explicitly take action to add in extra, insecure things. An example of why this is so important is that if you actually go through all of this tightening and then upgrade that server and forget to go back through and do all of the tightening again... Oops, not only will your system be insecure again but you'll probably be under the false assumption that your system is secure when it isn't. I've seen this happen way too many times to my clients and friends.
Second, if one really cares about security, why on earth would anyone consider Apache at all? There are many much better http server solutions out there for anyone needing serious security such as publicfile . Publicfile takes an arguably extreme approach and is fundamentally incapable of the vast majority of web server security problems. Therefore, other web servers such as the venerable, static-speed demon thttpd , the new, feature-rich kid on the block, LightTPD , or even the commercial king-of-the-hill Zeus Web Server can be a much better blend of increased security and increased performance.
Of course, if you're doing Java-based web server applications, Jetty and Resin are great solutions but they also tend to err by having way too much enabled by the default configurations.