Security aspects play an increasingly important role for the web servers of the TU Chemnitz , because
- our servers are being used by a large number of web authors,
- security gaps are exploited and abused frighteningly quickly,
- our servers contain data worthy of protection which should only be made accessible to authorised persons.
A note beforehand: We will not be able to achieve absolute security on the general web servers. Sensitive data may therefore only made accessible via suitable dedicated servers (e.g. via own virtual servers) and suitable encryption procedures. But even then, careful programming is essential!
- Secure secrets for web applications
- Web form security
- Writing in the web space: risks and protection
- Secure coding with PHP
Security Settings of the Central Web Servers
Page requests to the central web servers are now only possible via https encryption (HTTP Strict Transport Security).
For security reasons, the TU Chemnitz web pages may only be displayed in frames on our own web pages. The following HTTP headers are set for this purpose:
Content-Security-Policy: frame-ancestors 'self'
If you want to allow your pages to be displayed in frames of other web servers, you must write in the
.htaccess something like this:
Header set Content-Security-Policy "frame-ancestors https://www.example.com" Header set X-Frame-Options "ALLOW-FROM https://www.example.com"
Content-Security-Policy is far more flexible than
X-Frame-Options and is now supported by modern web browsers.
If you want your web pages to be usable as a frame by all servers of one domain, write in the
# Allow all pages on tu-chemnitz.de: Header set Content-Security-Policy "frame-ancestors *.tu-chemnitz.de" # This does not work with X-frame options, so we disable it: Header unset X-Frame-Options