None of these should be a problem.
On Jun 10, 1:45 pm, Salvor Hardin <salvor.pub...@gmail.com> wrote: > We selected web2py over django and pylons to replace RoR. Luckily, > that project doesn't require paranoid security (hence our ability to > use RoR in the past.) > > But we're evaluating web2py to replace a Win32 GUI intranet app, and > preventing hacks on the server side, is pretty high on the priority > for that project. For example, we want to prevent user from modifying > web2py's .py files, etc. by exploiting security flaws in Python or > python modules. > > What are some ways to improve the security of web2py apps on > production servers? > > * Use mod_security and its Core Rule Set (no web2py compatibility > issues?) > > * Prevent Apache2 user (www-data) having write access or chmod rights > to web2py application files? > > * chown/chmod web2py files to require root access to upgrade to newer > web2py? > > I'm not asking for changes to web2py. I'm just looking for best > practices on projects that value security over certain features like > web-based upgrades or web-based deployment, etc. For example, > requiring root access to upgrade web2py would be seen as a benefit on > at least one project.
