SREhttp/2 Manual|| Documentation Files

SREhttp/2 Security Features

Since SREhttp/2 does not support SSL, we can not claim that SREhttp/2 is a highly secure server. Nevertheless, SREhttp/2 does come with a number of security related features, which are described below.
Default directory The default data directory limits the directories from which files can be retrieved. Note that you can expand this by adding virtual directories.
Limiting access to
configuration tools
You can use the SECURITY_LEVEL parameter to prevent outside users from running the remote configuration tools. Or, you can disable any use of these configuration tools (by default, access is only permitted to a client running his browser on the server machine).

In addition to the SECURITY_LEVEL parameter, the powerful hence potentially dangerous MANAGER and _COMMAND addons can be disabled.

  • MANAGER: remove all ALLOWED_DIR entries from the MANAGER.CFG file(s).
  • _COMMAND: modify the CHECK_SECURITY parameter in _COMMAND.CMD
  • Note that both MANAGER and _COMMAND are installed in a disabled state.
    Access control on a
    resource-specific basis
    Some resources on your web site can be open to the public, some resources can be open to all registered users, and some resources can only be available to specified subsets of these registered users.
    Access control on a
    file-specific basis
    If the HTACCESS method of access control is enabled, SREhttp/2 will check special .HTACCESS files for directory specific username & password information.
    In fact, requests can be subject to both resource-specific (using required privileges and client privileges), and HTACCESS (requiring directory specific username & password information) access controls -- just be sure to coordinate the usernames and passwords used by both methods (since each method stores username & password information in different places).
    Authentication SREhttp/2 supports both "basic" and digest authentication

    In addition, SREhttp/2 supports dynamic passwords -- an emulation of digest authentication that is useable by javascript aware http/1.0 browsers.

    Access denied response If access is denied: a generic & simple, or a customized failure file, or a selector-specific failure file can be used to form an authorization response.

    Alternatively, SREhttp/2 can detect & deny access to clients repetitively hitting your site with different phony usernames & passwords

    40 bit encryption SREhttp/2 supports several forms of 40-bit encryption of content.
    Probing attacks Probing attacks, where a hacker where an attacker randomly requests common system files, can be detected & thwarted
    Dynamic privileges Dynamic (short duration) privileges can be awarded on request specific basis -- this can be used to support multiple accounts, or to grant temporary access to resources (say, to allow access to images only after a introductory page has been viewed).