Writing More Secure CGI Scripts

Last Update: December 2, 1997
Translated into: German 1 Ukrainian 2 Danish 3 Czech 4

Any time that a program such as a WWW server is interacting with a networked client such as a WWW browser, there is the possibility of that client attacking the program to gain unauthorized access. Even the most innocent looking script can be very dangerous to the integrity of your system.

With that in mind, I would like to present a few guidelines to help ensure your program does not come under attack. This presentation uses examples from REXX and Perl, however, the principles apply to most languages.

You may also want to look at Paul Phillips' CGI Security for information on Perl, C and C++. Another source of information is Lincoln Stein's well-regarded WWW Security FAQ If you are using Perl then you should also consider using Perl's taint checking mechanism. If you are writing scripts for a Windows NT server then see Somarsoft - Windows NT Security Issues. NEW

[ CGI overview | Writing CGI Scripts | SLAC's CGI Wrapper | Feedback ]

1 Translated into German by Fijavan Brenk
2 Translated into Ukrainian by Oksana Mikhailuk, hosted by www.everycloudtech.com
3 Translated into Danish by Mille Eriksen.
4 Translated into Czech by Barbora Lebedova

This page evolved from information from Rob McCool robm@ncsa.uiuc.edu. Also I have gained many insights and useful information from John Halperin@slac.stanford.edu.
Les Cottrell