Improving security on web servers is vital to protect against hackers and data breaches
To minimize the risk of your business losing data to hacks and breaches, it’s crucial to ensure that your web server is set up as securely as possible. If your server security is compromised, it could result in anything from spam advert injections on a company website, to user data being intercepted and stolen from form submissions.
What is a secure web server?
A secure web server will generally fall into one of two categories. Most commonly, it’s a server on the public web that supports security protocols like SSL, meaning that sensitive data transmitted to and from the server is encrypted for the user’s protection. Alternatively, it can mean a web server used only by a team of employees within a local network, secured against external threats.
To maintain the security of your web servers, and keep potential threats at bay, it’s important to stay up to date with the ever-evolving security landscape.
What security risks can a web server face?
Web servers are one of the most targeted parts of an organization’s network, because of the sensitive data that they typically host. As a result, it’s important that as well as securing web applications and your wider network, you take thorough measures to secure the web servers themselves.
There are several key threats to web servers that are important to be aware of, to prevent and mitigate those risks. These include, but are not limited to:
- DoS and DDoS Attacks
Denial of Service attacks and Distributed Denial of Service attacks are techniques cybercriminals will use to overwhelm your servers with traffic until they become unresponsive, rendering your website or network unusable. - SQL Injections
SQL injections can be used to attack websites and web apps, by sending Structured Query Language requests through web forms to create, read, update, alter or delete data stored in your servers, such as financial information. - Unpatched software
Software updates and security patches are designed to fix vulnerabilities in older versions of that software. However, once a new patch is released, would-be hackers can reverse-engineer attacks based on the changes, leaving unpatched versions in a vulnerable position. It’s why we recommend using a trusted patch management service to make sure you’re always up-to-date. - Cross-site scripting
Cross-site scripting, also known as XSS, is a technique similar to an SQL injection - code is injected into server-side scripts to gather sensitive data or to execute malicious client-side scripts.
However, one of the most prevalent threats to server security is human error or carelessness. Whether it’s poorly-written code, easy-to-guess passwords, or a failure to install and update firewalls and other security software, the human element in cybersecurity is typically the weakest link.
You should also consider the physical security of the computers that are acting as your web servers: no matter what security software you use, it could be undermined if physical access to your servers isn’t properly controlled.
What types of web servers are available?
Some of the most popular options for web server software include Apache, LiteSpeed, IIS, Nginx, and Lighttpd. It’s also possible to use ‘virtual servers’, or virtual web hosting services, to run multiple servers from a single computer.
Different types of web server will meet different user needs, but all are typically compatible with major operating systems such as Linux, Windows, and macOS.
Apache Web Server
Apache is open-source and, with a 37.4% share of the market (June 2020), is generally regarded as the most popular web server in the world. It supports Linux, Unix, Windows, Mac OS X, Ubuntu, and other operating systems, and can be easily customized thanks to its modular structure.
Apache is highly stable compared to other web servers.
Nginx Web Server
Nginx is another open-source solution, known for high performance, stability, low resource usage, and highly scalable event-driven architecture. Compatible with most major operating systems, Nginx can also be used as a reverse proxy, mail proxy, HTTP cache, and load balancer.
Lighttpd
A key benefit of Lighttpd is its small CPU load and speed optimization. With an event-driven architecture similar to that of Nginx, Lighttpd is designed to manage a large number of parallel connections and can support features such as Output-compression, FastCGI, Auth, SCGI and URL-rewriting among other things.
Virtual web servers
If you need to manage multiple web domains, it can be more efficient to do this from one machine via virtual web servers, rather than having a dedicated, separate server for each. Virtual servers, or virtual web hosting, can be cost-effective and generally does not impact site performance. However, if too many virtual servers are housed on the same computer, it can lead to web pages being delivered more slowly.