Website Security

What security issues do I need to be aware of in relation to my webpages? How can I restrict access to only certain people?

Don't put unprotected private files in your webspace

In order that people other than yourself (and those few others whose Institute accounts come under the same group as yours) are able to see your webpages, the permissions on the files in your webspace must allow read access to everybody. This means that you should never put private files in your webspace unless you protect them via one of the methods described below, as by default files created there will allow anyone in the world to read them!

[Further details for more experienced users: unless you have changed your umask, files in your webspace will be created with mode -rw-r--r--; read about file and directory permissions if you don't understand what this means. Note also that normally when you give read permission on a file to "others", that file becomes readable only by people with maths accounts. However, there is a special automated maths institute user which will give out those files in the webspace which have read permission for "others", to anyone who asks for them - this is essentially how the webserver works.]

WARNING: If you put a symlink from your web directory back into your account (and the permissions on your account are set such that any user can read the files) then it is possible for someone (from outside of the Institute) to follow the symlink using a web browser and hence gain access to all your files. Putting symlinks in your web directory back to your home directory are therefore strongly discouraged because under certain cricumstances it is possible, unknowingly, to configure your files so that they can be read from outside Oxford.

Restricting access using the .htaccess file

.htaccess files live in one or more of the directories in your webspace; the .htaccess file in a particular directory controls access to the files in that directory. If a directory has no .htaccess file, then all the files in that directory (assuming the permissions on the files are set suitably) are available to everyone. See help with the .htaccess file to see how to set these files up.

Restricting access using file permissions

Restricting access to your web pages using file permissions is not recommended for long-term use. However, you may wish to restrict read access to yourself while your webpages are in development; or maybe you might want to allow the others in your group (for postgraduates, this generally means the others in your year) to see them as well, and let you know what they think. Bear in mind that it is discourteous to other people to send them to pages which they will not be able to access, so you should not link to or publicise a page until you have restored its permissions so that everyone can read it.