Security tips for HTTP Server

Permissions on HTTP Server directories

In typical operation, the HTTP Server is started under the IBM i user profile QTMHHTTP and requests coming into the server are run under that user profile. It is possible to start the server and serve requests under different profiles. Refer to the ServerUserID and UserID directives for more information. You must also ensure that all of the resources that can be accessed by a Web client are properly protected. See User profiles and required authorities for HTTP Server for additional information.

Stopping users from overriding system wide settings for HTTP Server

You will want to stop users from setting up .htaccess files which can override security features. Here is one example:

<Directory />
   AllowOverride None
   Options None
</Directory>

This stops all overrides, Includes, and accesses in all directories. You also need to set up directory containers to allow access for specific directories.

Protecting server files by default for HTTP Server

HTTP Server has a default access feature. To prevent clients from seeing the entire file system, add the following block to the configuration:

<Directory />
   Order deny,allow
   Deny from all
</Directory>

This forbids default access to file system locations. Add appropriate <Directory> blocks to allow access. For example,

<Directory /users/public_html>
   Order deny,allow
   Allow from all
</Directory>

Pay particular attention to the interactions of <Location> and <Directory> directives. For example, even if <Directory /> denies access, a <Location /> directive might override it.

Server Side Includes for HTTP Server