Bernhard Lorenz, International Society for
Environmental Protection (ISEP), Vienna
Please note that this paper is just a short and very informal introduction to several aspects of web development and to no respect claims full and sufficient description or guidelines on either of the mentioned aspects and issues. When starting to develop a World Wide Web Site one will have to think about the following major issues:
- What data in what format is supposed to be made available to the public?
- Who are the main target groups - how to structure a web site?
- What software to use - security issues to address within an institution.
If the data to be put up is of a more complex form, like a relational database, one will probably either have to export the data to ASCII files (if possible) or - which is the better, (in terms of financial and time-consuming aspects) also more expensive solution - program an interface between the database itself and the World Wide Web. Such interfaces can be as simple as small Perl scripts with 100 lines only, up to complex programs consisting of several thousand files. Once these main decision have been taken, one can proceed to think about the way this data can be made available to the public.
In general, there are always two possible solutions:
If one is offering general information, text and alike files, it is very common to simply develop a menu for users to select different items and thus guide them to the files and information they want.
Furthermore, one will also have to think of the fact that - especially if it comes to overseas links - it takes some time to load a WWW page. Therefore it is better to avoid heavy graphics and icons where possible.
Additionally, it may be helpful to allow users to jump back and forth between the main sections of a web site from other submenus, too, to allow for faster navigation and speed up the process of looking for and eventually finding specific data.
Thus, a good Web Site is often structured into several main sections, from where users can go on to more detailed information. It is not advisable to put every possible link onto the homepage itself - users will get confused and may be overlooking links that are actually there but hidden due to the amount of other links available on the same page.
Furthermore, it is probably best to have only one or two subsections (depending on the amount of data) on a web site - if users have to go through ten or more different menus to find specific information only to read that this section is under construction, a web site has definitely failed its purpose.
From the security point of view, one should always follow discussions on recent bugs in these servers to minimize the risk of compromising a web server or even the machine it is running on. Special attention therefore needs to be payed to CGI (Common Gateway Interface) programs as well as certain strings which are passed through a web server.
Something which should always be avoided is running a web server with superuser privileges. Note that in order to open a connection on the http port 80, the server has to be started as root-user, but it (and its child processes) will switch to the user and group id one specifies in the configuration files.
Furthermore file permissions should always be correct - it is common practice to let a certain www user and group own all files, with directory permissions set to 755 (rwxr-xr-x) and file permissions set to 644 (rw-r-r-). A web server usually then runs as user "www" and group "nogroup". Also note that in case there are interfaces to other programs (databases etc.) on the same or other machines, this user probably also needs access to these directories and files as well. Finally, one has to make sure that Execute Permissions for CGI scripts etc. are properly set - if users on the same machine are allowed to run CGI scripts, these scripts should be checked very carefully and frequently to prevent the machine's abuse by intruders.
By restricting the access of a web server to a minimum of directories and files, possible intrusions and damage from hackers exploiting bugs in server software can be limited in a way only affecting the web site itself instead of the complete machine.
However, there may be a lot more security issues arising within an organization, for example to limit access to a web server to special sections only etc. - either by setting the appropriate parameters in the config files or even by implementing a firewall solution. These topics will vary depending on the type of institution, but should always be addressed in combination with setting up public services on insitutional hosts.