I will soon have a Zope-site ready to go online. How can I make shure that I did everything (concerning Zope) to stop intruders? Where can I find information about protecting a Zope-site? Has anyone had security problems so far?
Easiest (most brutal?) fix I've found - hide Zope behind an Apache, and prohibit access to any URLs of the form .*/manage.*
This is what I'm doing at the moment (more or less) but your question made me think. Actually this is an example of "allow anything that isn't explicitly denied" which is not a very good policy if you want security. I remember (but - darn - can't remember where I have it) a posting that said that anyone can easily see the names of all objects in a folder which is nice intelligence gathering. I guess it would be much better (and even more brutal;) to deny everything that isn't allowed explicitly. I'll try that later. I think I'll have to allow .*_html and .*_img for the http protocol plus all the .*/manage.* stuff for https and perhaps also make some (not so secure) restrictions based on ip adresses. --Ragnar