If you've applied the preceding steps, your Web site is reasonably fortified for security. Even so (as mentioned before), be sure to monitor log activities to detect unusual access. Remember, too, that the human components of your Web site (such as content publishers and script developers) need training for site security. Establish guidelines for them.
Content publishers and script developers should know and adhere to the following guidelines:
♦ Whenever storing a content file, such as an HTML file, image file, sound file, or video clip, the publisher must ensure that the file is readable by the Web server (that is, the username specified by the User directive). No one but the publisher user should have write access to the new file.
♦ Any file or directory that can't be displayed directly on the Web browser because it contains information indirectly accessed by using an application or script shouldn't be located under a DocumentRoot-specified directory. For example, if one of your scripts needs access to a data file that shouldn't be directly accessed from the Web, don't keep the data file inside the document tree. Keep the file outside the document tree and have your script access it from there.
♦ Any time a script needs a temporary file, the file should never be created inside the document tree. In other words, don't have a Web server writable directory within your document tree. All temporary files should be created in one subdirectory outside the document tree where only the Web server has write access. This ensures that a bug in a script doesn't accidentally write over any existing file in the document tree.
♦ To fully enforce copyright, include both visible and embedded copyright notices on the content pages. The embedded copyright message should be kept at the beginning of a document, if possible. For example, in an HTML file you can use a pair of comment tags to embed the copyright message at the beginning of the file. For example, <!-- Copyright (c) 2000 by YourCompany; All rights reserved. --> can be embedded in every page.
♦ If you have many images that you want to protect from copyright theft, look into watermarking technology. This technique invisibly embeds information in images to protect the copyright. The idea is that if you detect a site that's using your graphical contents without permission, you can verify the theft by looking at the hidden information. If the information matches your watermark ID, you can clearly identify the thief and proceed with legal action. (That's the idea, at least. I question the strength of currently available watermarking tools; many programs can easily remove the original copyright owner's watermarks. Watermark technology is worth investigating, however, if you worry about keeping control of your graphical content.)
Creating a policy is one thing and enforcing it is another. Once you create your own publishing policy, discuss this with the people you want to have using it. Get their feedback on each policy item — and, if necessary, refine your policy to make it useful.
Was this article helpful?