University of Hamburg - to research, to teach, to educate and form, to homepage
RRZ
Regional Computing
Center (RRZ)

Photo: UHH, RRZ/MCC

Safety Instructions for Operating a Web Application

The web application server offers you the option of installing your own or third-party software. However, this also means that you are responsible for the software or the files and documents stored on your website. Security vulnerabilities in web applications, misconfigurations, or overly open access restrictions can jeopardize not only your web application but, under certain circumstances, the operation of the entire server. Please note the following information to ensure the most secure operation possible:

  • Choose your software carefully: Never install outdated versions or software that is no longer being developed. Do not use software that is still in the testing phase or whose reliability you cannot assess.
  • Patch your applications. Information on security vulnerabilities can be found, for example, at cve.org or DFN-CERT.
  • Upgrade to the latest version of your application at the latest when patches are no longer available for the version you are using.
  • Familiarize yourself with Linux file permissions: Generally, use the most restrictive file permission settings possible for the intended use. Under normal circumstances, it is not necessary for anyone other than the owner and group to have access to the files in the web directory on the web application server. Global read and write permissions should not be granted anywhere. On the web application server, the Apache web server runs for each project with its own host name under the individual user ID. This ensures that Apache can only write to its own web directory if the file permissions are set correctly.
  • Restrict access to forms, login pages, etc. Check whether you can restrict access to such web pages to the university network or even further (e.g., via a local .htaccess file).
  • Never write passwords in plain text in documents or scripts in your document root (web directory) or a subdirectory below it. Instead, store them in variables that are assigned values in a secure location.
  • Use encryption (https) for the transmission of sensitive data or for websites that require password login. Web applications on the RRZ's web application server platform are equipped with a server certificate, so you do not need to apply for one separately.
  • Use the RRZ's central PhpMyAdmin installation to administer your database if you want to use a graphical tool. Do not install PhpMyAdmin or similar tools yourself. Find out in advance whether a required application is already offered centrally by the RRZ.
  • Contact us (service line) if you have any questions or suspect that something is wrong with a website or if you observe unexplained server behavior.
  • Coordinate the design or configuration of your web application with the UHH information security officer.