Re: [Zope] security issues
Ragnar Beer wrote Howdy everyone!
I will soon have a Zope-site ready to go online. How can I make shure that I did everything (concerning Zope) to stop intruders? Where can I find information about protecting a Zope-site? Has anyone had security problems so far?
Easiest (most brutal?) fix I've found - hide Zope behind an Apache, and prohibit access to any URLs of the form .*/manage.* If you don't need to use basic auth to the Zope, then use a rewrite rule to strip out any Authentication headers in the requests. Anthony
I will soon have a Zope-site ready to go online. How can I make shure that I did everything (concerning Zope) to stop intruders? Where can I find information about protecting a Zope-site? Has anyone had security problems so far?
Easiest (most brutal?) fix I've found - hide Zope behind an Apache, and prohibit access to any URLs of the form .*/manage.*
This is what I'm doing at the moment (more or less) but your question made me think. Actually this is an example of "allow anything that isn't explicitly denied" which is not a very good policy if you want security. I remember (but - darn - can't remember where I have it) a posting that said that anyone can easily see the names of all objects in a folder which is nice intelligence gathering. I guess it would be much better (and even more brutal;) to deny everything that isn't allowed explicitly. I'll try that later. I think I'll have to allow .*_html and .*_img for the http protocol plus all the .*/manage.* stuff for https and perhaps also make some (not so secure) restrictions based on ip adresses. --Ragnar
participants (2)
-
Anthony Baxter -
Ragnar Beer