Securing OS X’s Personal Web Sharing

I recently covered getting the Mac’s built-in web server running nicely and mentioned how switching it on also forces the firewall to open port 80, which isn’t a great idea for a standalone development server.

Assuming you’re using a setup similar to the one I described configuring, a quick’n’dirty fix to keep out prying eyes is to edit /private/etc/httpd/httpd.conf (e.g. with sudo pico /private/etc/httpd/httpd.conf ), changing all instances of

Order allow,deny
Allow from all

Order deny,allow
Deny from all
Allow from localhost

Drop into the users subfolder and do the same for each user’s .conf file, then stop and restart sharing.

Your web server will still be reachable, so it’s no substitute for a full firewall block, but external browsers will be denied access to your files (alternatively, you can alter the settings so that the web server doesn’t listen on port 80, but I wanted a fix that wouldn’t clash with Headdress, which seems to include Listen 80 in its block of settings).

You can also add a touch of extra security-through-obscurity by going into httpd.conf again and setting ServerSignature to Off, reducing the amount of information Apache gives away.

Mon 4th Sep 2006, 2:34pm GMT

Filed under: Client-side Coding, Hints and Tips, Server-side Coding, Software, Web

Comments

Comments are now closed for this entry.

Matt Round’s company blog, covering web development, media, technology and pretty much anything else.

Web Sites: Good-looking, effective, accessible sites.
Multimedia: Logos, Flash games, animation and illustration.
Advice: Help with strategy, planning and getting noticed.