Log in

No account? Create an account
Previous Entry Share Next Entry
I've found a way.

A security wrapped CGI.
I validate it against invalid REQUEST_METHOD and block also the GET method (so, bye-bye to try using it accessing directly to it through the browser command line!)

And I'll add also e test to see the REFERRER to insure that only coming from one off the applications internal URLs will be accepted!

With these 2 security measures, I guess it will handle the job until I move to a server/client version to create and delete users on a server....


  • 1

How did you do that?

I need to add security to an existing web site and I haven't figured out how?

The method is quite simple.

In the CGI, at first, I see the value of the environment variable REQUEST_METHOD. It will be GET or POST. If it is GET, display an error page.
If it is POST, get the environment variable HTTP_REFERER and see if the URI there is the one we want to be called from. If it is not, display an error page.

Actually I make the test to see if the environment variable REQUEST_METHOD exists, before testing it's value and do the same to the environment variable HTTP_REFERER.

See, simple!

(and works!)

I forget to add that this is necessary as afther this I'm going to become root to create/delete server users.....

That's the reason why I need to have all this work before... :-))))

  • 1