Web Server with only html content
 

Hello,
can a CentOS web server with apache and only html pages have potential security holes?

Thanks,
dave

Hi,

yes, every service has _potential_ security holes.

Evo2.

ok, just asking about potential html,http attacks...can you propose a simple example?
Thanks

Hi,

sorry I don't have any examples.

Evo2.

Have a read of this https://www.owasp.org/index.php/Top_...le_of_Contents :)

With all due respect to the previous posters, I dare to differ.

If by "a CentOS web server with apache and only html pages" you mean a fully updated recent CentOS version with no other network services apart from apache and no apache modules installed other than basic modules needed to serve static content, I think the attack surface of such system is very small.

In other words, if you make sure you set up the system correctly and keep it that way, you're gonna be fine.

I wouldn't discourage you from running your own network services. Learning by doing. The security gurus might have other experience but alas.

Kind regards,
Robert

Yes, that's what i mean!
Thank you!

Dave

I would say that it could be quite locked down, especially in comparison to other options. A server can get into relatively little trouble serving static HTML.

Too often people use PHP or even throw in a full CMS when all they want is standardized headers and footers. That can be done safely in Apache and nginx using Server-Side Includes without executables. See IncludesNoExec for Apache.

if you ask my 2cents, nothing is 100% attack proof, but usually when it comes to web servers, the attack surface isn't usually the web server itself, but rather the scripts run on the web server, such as those with a mysql backend if not written properly are vulnerable to sql injections etc.., the webserver itself, although theoretically vulnerable is a much smaller attack surface.