A system whose primary function is to deliver web pages on request to clients.
38
votes
11answers
4k views
What are the pros and cons of site wide SSL (https)?
What are the pros and cons of encrypting all HTTP traffic for the whole site through SSL, as opposed to SSL on just the login page?
58
votes
12answers
9k views
Apache Server Hardening
What are some best practices, recommendations, required reading for securing an Apache Server?
11
votes
4answers
6k views
What ciphers should I use in my web server after I configure my SSL certificate?
There are many great questions that ask what is the best certificate to use for a website; but once the certificate is purchased, there is also the possibility to choose or edit the Cipher list.
...
16
votes
7answers
598 views
Protecting WordPress installations
How do you go about protecting a default WordPress installation? What checklist do you use, best practices, tips and tricks, etc? Any recommendations on plugins, third-party tools are welcome. Thanks.
...
14
votes
1answer
903 views
Does the practice of blocking an off-site “Referer:” HTTP requests improve website security?
Is there any benefit for a security-paranoid website to disallow HTTP requests that have a Referer: from 3rd party sites?
The pitch is that if such a HTTP request were to come in, then certain XSS ...
8
votes
4answers
2k views
IIS logs show someone is trying to hack my site, what should I do?
It looks like someone is trying to hack my site. The following comes from my IIS log files:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2011-07-03 00:02:39
#Fields: ...
11
votes
2answers
315 views
Where to report malicious URLs, phishing, and malicious web sites?
I recently discovered that my web designer was hacked: there was a HTML hidden div selling about shoes... I Googled the text in question and voila: thousands of sites have been hacked.
Check this ...
13
votes
3answers
839 views
How to keep a shared web hosting server secure?
What are the ways of keeping a shared LAMP server secure, assuming SSH access is available for every user?
Edit: I am mainly thinking of securing the server from the users themselves and between ...
15
votes
2answers
332 views
What risks should I be aware of before allowing advertisements being placed on my website?
The thought of having a 3rd party send javascript, and images to end users seems to be a scary thought, but that is exactly what we are doing when I place advertisements onto my site.
Does serving ...
40
votes
4answers
3k views
I think I accidentally DoS'd a website. What should I do?
I was browsing a website, and stumbled across a sample scheme for password-protecting web pages. The owner of the website specifically had a page that invited people to attempt to hack it.
I wanted ...
13
votes
4answers
895 views
How to detect “forged” SSL certificates from the webserver end
The company I work for sometimes intercepts employees ssl connections to https websites by making the ssl connection on their behalf from a proxy, and then using the own generated certificate to send ...
13
votes
5answers
341 views
What is the best option for setting up a several sites supporting SSL on the same IP?
If multiple hostnames are hosted on the same IP, it's not straight forward to allow them to support https. What are the best options in terms of browser support and/or web server support?
3
votes
7answers
1k views
Server compromised for 2nd time, cannot locate source of attack
I need some help tracing a vulnerability on my server. For the second time, my server has been compromised with files being replaced with virus-ridden downloads.
According to the filesystem dates, ...
11
votes
5answers
2k views
Index page has been compromised, suspicious files are showing up
My website has been hacked lately and it has been defaced. Now I have weird files, don't know where they coming from. I just want to know, what of these files are harmful or can cause that I get ...
5
votes
3answers
390 views
Appropriate defense for 404s in my logs - persistent web scans from one region
This seems to be a fairly easy question to figure out, but I wanted to make sure. I've got about a thousand entries on one of my web servers with phpmyadmin in the connection criterion, but as I ...