Web Security
Security aspects play an increasingly important role for the web servers of the TU Chemnitz , because
- our servers are being used by a large number of web authors,
- security gaps are exploited and abused frighteningly quickly,
- our servers contain data worthy of protection which should only be made accessible to authorised persons.
A note beforehand: We will not be able to achieve absolute security on the general web servers. Sensitive data may therefore only made accessible via suitable dedicated servers (e.g. via own virtual servers) and suitable encryption procedures. But even then, careful programming is essential!
- Secure secrets for web applications
- Web form security
- Writing in the web space: risks and protection
- Secure coding with PHP
Security Settings of the Central Web Servers
Page requests to the central web servers are now only possible via https encryption (HTTP Strict Transport Security).
For security reasons, the TU Chemnitz web pages may only be displayed in frames on our own web pages. The following HTTP headers are set for this purpose:
Content-Security-Policy: frame-ancestors 'self'X-Frame-Options: SAMEORIGIN
If you want to allow your pages to be displayed in frames of other web servers, you must write in the .htaccess something like this:
Header set Content-Security-Policy "frame-ancestors https://www.example.com" Header set X-Frame-Options "ALLOW-FROM https://www.example.com"
The header Content-Security-Policy is far more flexible than X-Frame-Options and is now supported by modern web browsers.
If you want your web pages to be usable as a frame by all servers of one domain, write in the .htaccess:
# Allow all pages on tu-chemnitz.de: Header set Content-Security-Policy "frame-ancestors *.tu-chemnitz.de" # This does not work with X-frame options, so we disable it: Header unset X-Frame-Options
With Content-Security-Policy further security settings can be made. You can define where external content, such as JavaScript, CSS, images or fonts, may be loaded from. This allows you to make your websites more secure.
# Javascript, CSS etc. only from own server and www.tu-chemnitz.de, no inline Javascript Header set Content-Security-Policy "default-src 'self' https://www.tu-chemnitz.de"
Further information: