← Patterns / SP-008

Public Web Server Pattern

Security architecture and controls for public web server

Release: 08.02 Authors: Aurelius Updated: 2025-07-05

Click on controls in the diagram to view details. Download SVG

Typical Challenges

Malicious entities try to exploit software bugs in the Web server
Denial of service (DoS) attacks may be directed to the Web server
Compromises through command injection attacks
The server may be used as a distribution point for attack tools, pornography, or illegally copied software.
Man in the browser attacks
Phising attacks
Misconfigurations

Threat Resistance

Compromises through command injection attacks
Compromises through XSS attacks
Compromises through buffer overflow attacks
Compromises through access control violations

References

Classification: Pattern

Release: 08.07

Authors: Aurelius

Reviewer: tbd

Control details

AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-07 Unsuccessful Login Attempts
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AU-03 Content Of Audit Records
AU-07 Audit Reduction And Report Generation
CA-02 Security Assessments
CA-04 Security Certification
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-07 Least Functionality
CP-02 Contingency Plan
CP-03 Contingency Training
CP-06 Alternate Storage Site
CP-07 Alternate Processing Site
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-01 Identification And Authentication Policy And Procedures
IR-02 Incident Response Training
IR-04 Incident Handling
MA-02 Controlled Maintenance
MA-04 Remote Maintenance
MA-06 Timely Maintenance
PL-02 System Security Plan
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SA-03 Life Cycle Support
SA-08 Security Engineering Principles
SA-10 Developer Configuration Management
SC-05 Denial Of Service Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-20 Secure Name / Address Resolution Service (Authoritative Source)

Assumptions

RIA web application can built with any front end technology like AJAX, Java, Silverlight or FLEX/FLASH
End user authentication can be strong (with physical token based OTP, SMS based OTP, or iTAN list) or just UID/PW (enhanced with SRP, or Digest)
Web application state should not be stored on the client but only a pointer to the server side stored storage should be passed (encrypted) out to the client, for example as a cookie or as POST parameter
All input validation that is done on the client needs to be redone on the server

Mapped Controls (38)

AC: 7AU: 2CA: 2CM: 4CP: 6IA: 1IR: 2MA: 3PL: 1RA: 2SA: 3SC: 5

AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-07 Unsuccessful Login Attempts
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AU-03 Content Of Audit Records
AU-07 Audit Reduction And Report Generation
CA-02 Security Assessments
CA-04 Security Certification
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-07 Least Functionality
CP-02 Contingency Plan
CP-03 Contingency Training
CP-06 Alternate Storage Site
CP-07 Alternate Processing Site
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-01 Identification And Authentication Policy And Procedures
IR-02 Incident Response Training
IR-04 Incident Handling
MA-02 Controlled Maintenance
MA-04 Remote Maintenance
MA-06 Timely Maintenance
PL-02 System Security Plan
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SA-03 Life Cycle Support
SA-08 Security Engineering Principles
SA-10 Developer Configuration Management
SC-05 Denial Of Service Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-20 Secure Name / Address Resolution Service (Authoritative Source)