return to rop

Breadcrumb Navigation:

Home > Web Services > Security

Security

The college web infrastructure is designed to scale securely to a large number of users and employ cost-effective technologies, such as those from the open-source community.

WRAP

SSL-based authentication to secure web pages is through WRAP, or Web Realm Authentication Protocol, a web-security technology developed at NCSU. When you log in to WRAP, your username and password are sent to an SSL-secured server where they are verified. Additionally, some vhosts are SSL enabled as needed.

In AFS, you secure directories, not individual files. If you have content to restrict to certain users, create a .htaccess file and place it in the directory you want to secure. Put the following code in the .htaccess file to require a login with a campus Unity ID to any pages in the directory.

AuthType WRAP
require affiliation ncsu.edu
require known-user

Read more about creating .htaccess files at NC State.

Securing Web Apps

  1. Know your security personnel and educate yourself in web security before installing applications.  For engineering web security questions, contact eoshelp@ncsu.edu.
  2. Do not install applications, such as CMSs, in the root of site.
  3. Remove any unecessary installation-specific files after you've completed the installation.
  4. Avoid using administrative passwords directly in your code.
  5. Configure the app to follow open-base dir restrictions, which reference down the tree and not up to keep scripts out of other web sites on the server.
  6. Check for errors in your application using webtest.
  7. Clean up errors that go into error log.
  8. If you have an administrative interface for your web app, restrict access to as few people as possible using WRAP.
  9. Use WRAP rather than applications accounts whenever possible.  Avoid being in charge of accounts and passwords.
  10. Never store passwords in plain text within a database, use one-way encryption functions such as md5() within PHP to hash sensitive data.
  11. Remove server write access from any database you request once it is no longer needed.
  12. Monitor what goes into form fields.  Good input validation will prevent attacks and SQL injections.
  13. Eliminate open redirects and symlinks.
  14. Turn off all methods you don't use; get/post is generally all you need.
  15. Remove old apps to prevent exploitation.

See additional details at Implementing PHP/MySQL, Guidelines for PHP Writable Web Space, and Testing and Staging.

return to rop

Footer Navigation:

Information Technology and Engineering Computer Services North Carolina State University
Raleigh, NC 27695-7901   (919) 515-2458
return to rop