Hiawatha webserver
Encyclopedia
Hiawatha is a secure webserver available for multiple platforms. It has been developed by Hugo Leisink since 2002.
. Because the author was a computer science student with special interest in IT security, all sorts of experimental security features were included. This resulted in a webserver with many interesting security features which have proved useful. The author has said "I know for a long time that vulnerabilities [exist in other webservers] . [One thing] that bothers me: the runtime of a CGI. A CGI process [under other webservers] can run forever. A single CGI script can DoS a webserver. A system administrator is needed to kill the script. And what about a client that keeps on guessing passwords for HTTP authentication? These kind of issues inspired me to create Hiawatha, with settings for maximum request sending time, maximum CGI run time, client banning, etc. Features that, in my opinion, every daemon should have."
The January 2009 edition of Linux Magazine contained an article about the Hiawatha webserver.
Important releases:
, cross-site scripting (XSS
), Cross-site request forgery
(CSRF) prevention, Denial-of-service protection, control external image linking, banning of potential hackers and limiting the runtime of CGI
applications. The author is currently working on RFC3546
support, but "the OpenSSL documentation is just extremely poor" so progress is difficult.
, which makes it fast and scalable for handling dynamic content.
History
Hiawatha started in January 2002 as a very small webserver, suitable for servers with old hardware. It was written for internet servers in student houses in DelftDelft
Delft is a city and municipality in the province of South Holland , the Netherlands. It is located between Rotterdam and The Hague....
. Because the author was a computer science student with special interest in IT security, all sorts of experimental security features were included. This resulted in a webserver with many interesting security features which have proved useful. The author has said "I know for a long time that vulnerabilities [exist in other webservers] . [One thing] that bothers me: the runtime of a CGI. A CGI process [under other webservers] can run forever. A single CGI script can DoS a webserver. A system administrator is needed to kill the script. And what about a client that keeps on guessing passwords for HTTP authentication? These kind of issues inspired me to create Hiawatha, with settings for maximum request sending time, maximum CGI run time, client banning, etc. Features that, in my opinion, every daemon should have."
The January 2009 edition of Linux Magazine contained an article about the Hiawatha webserver.
Important releases:
- 1.0: September 2002. A basic but functional webserver.
- 2.0: March 2004. Use of multithreading instead of forking.
- 3.0: September 2004. SSL support.
- 4.0: December 2005. A CGI-wrapper for improved security was included.
- 5.0: October 2006. FastCGIFastCGIFastCGI is a protocol for interfacing interactive programs with a web server. FastCGI is a variation on the earlier Common Gateway Interface ; FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page...
support for improved CGI speed. - 5.12: August 2007. URL rewriting support.
- 6.0: October 2007. IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
support. - 6.6: April 2008. XSLTXSLTXSLT is a declarative, XML-based language used for the transformation of XML documents. The original document is not changed; rather, a new document is created based on the content of an existing one. The new document may be serialized by the processor in standard XML syntax or in another format,...
support. - 6.10 : October 2008. Prevent cross-site request forgery added.
- 7.0: February 2010. Remote monitoring support.
Features
Hiawatha has many security features that no other webserver has, like preventing SQL-injectionSQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
, cross-site scripting (XSS
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
), Cross-site request forgery
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
(CSRF) prevention, Denial-of-service protection, control external image linking, banning of potential hackers and limiting the runtime of CGI
Common Gateway Interface
The Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
applications. The author is currently working on RFC3546
Server Name Indication
Server Name Indication is a feature that extends the SSL and TLS protocols. To properly secure the communication between a client and a server, the client requests a digital certificate from the server; once the server sends the certificate, the client examines it, uses it to encrypt the...
support, but "the OpenSSL documentation is just extremely poor" so progress is difficult.
Performance
Hiawatha supports load-balanced FastCGIFastCGI
FastCGI is a protocol for interfacing interactive programs with a web server. FastCGI is a variation on the earlier Common Gateway Interface ; FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page...
, which makes it fast and scalable for handling dynamic content.
See also
- Comparison of web serversComparison of web servers-Overview:-Features:- Operating system support :...
- Comparison of lightweight web serversComparison of lightweight web serversLightweight web servers are web servers which have been designed to run with very small resource overhead because of hardware, environment, or simply for the challenge of it....