Inicio Explorar Axuda
Iniciar sesión
ariadne
/
shttpd
Seguir 1
Destacar 0
Fork 0
Ficheiros Incidencias 7 Pull Requests 0 Wiki
Rama: master
Ramas Etiquetas
shttpd
/
stuff
/
website.md

website.md 2.8 KB
Permalink Histórico Raw

.. SPDX-License-Identifier: GPL-3.0-or-later .. Copyright © 2018-2019 Ariadne Devos

s^2 Web Server

(This is a works in progress, details are in flux and possibly unimplemented.)

s^2 Web Server, short for The Speculatively Secure Web Server, allows for serving a manually crafted (HTML, CSS, JS, images, videos) website. It has an optional control panel for remote configuration.

PHP and others may be used via FastCGI. Their security guarantees may be different from s^2 core.

Control panel

  • uploading and downloading documents
  • setting up accounts and groups
  • configuring regions that require special permissions
  • redirects
  • viewing load statistics
  • external storage, local file system or an SQL database
  • restricting scripting (JS, also CSS in IE)
  • restricting loading of external resources
  • restricting allowed file types

Short-term TODO

  • HTTP/1.1 Hello World!
  • serve files from the filesystem
  • migration to different instances
  • HTTPS
  • WebDAV (with hardcoded credentials)

Longer-term TODO

  • documents from SQL databases
  • migration to other machines
  • transparent compression of text
  • HTTP/1.0
  • HTTP/2
  • HTTP/3, once it is out
  • HTTPS
  • optional append-only audit log
    • for account setup
    • for region setup
    • for redirect configuration
    • for restricting scripting
    • for restricting external resources
    • for storage configuration
  • automatic back-ups (external media must still be inserted manually)
    • with checksums
    • signed
    • encrypted
  • automatic Let's Encrypt HTTPS certificates
  • special handling of suspect requests
    • non-existent, vulnerable locations, e.g. wp-login.php)
    • paths containing '/../'
    • others
    • logging of IP
  • secure authentication
    • optional two-factor authentication
    • hashed and salted passphrases
    • minimal passphrase lengths (Resource: password rules on codinghorror.com)
    • encrypted with a key only known to the authentication daemon
    • signed, without replay attacks (e.g. using a Merkle tree) (?)
    • allow changing keys
  • allow untrusted storage (?)
  • isolated authentication daemon
  • sandboxed
  • load statistics
  • test cases

Some development resources

  • Additional HTTP Status Codes: RFC 6585
  • Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing: RFC 7230
  • Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content: RFC 7231
  • Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests: RFC 7232
  • Hypertext Transfer Protocol (HTTP/1.1): Range Requests: RFC 7233
  • Hypertext Transfer Protocol (HTTP/1.1): Caching: RFC 7234
  • Hypertext Transfer Protocol (HTTP/1.1): Authentication: RFC 7235