Security Considerations

Securing applications that are accessible to the Internet is not a trivial task. This page outlines some of the issues, and offers tips to help you secure your application using the Embedthis GoAhead product.


Even the best application or HTTP server can experience some security vulnerabilities that are discovered after being deployed in the field. It is highly recommended that you stay up to date with the latest version of GoAhead.

Embedthis offers a Security Enhancement Service as part of an GoAhead commercial license that will proactively notify you of any security flaws and will expedite fixes or workarounds to minimize the vulnerability.

GoAhead User Account

It is important that you run GoAhead with the lowest system privilege that will get the job done. If any application is compromised, including GoAhead, then the system will be safest if the compromised application has as few privileges as possible.

Directory and File Permissions

This section explains the policy should you need to move or modify files and directories.

To enhance security you need to consider the directory and file permissions for three classes of content:

Pages served by the GoAhead server should be owned by root or administrator and should only be readable by the GoAhead user account. Directories containing served pages should be readable and executable only.

Scripts run by the GoAhead server should always be outside all directories containing served pages. After all, you don't want prying eyes viewing your scripts! Scripts should be owned by the root or administrator and should only be readable and executable by the GoAhead user account.

Configuration and log files used by the GoAhead server should always be outside all directories containing served pages or scripts. The directory containing the log files must be writable by the GoAhead user account.

Home Permissions

The home directory in which GoAhead executes should be owned by root or administrator, and should be in the group root or administrators. They should only be writable by this specific user and group.


It is highly recommended that you use Form-based Form authentication and not Basic authentication. As implemented in GoAhead, Form authentication over SSL provides many safeguards against known exploits including; man-in-the-middle attacks, client spoofing, and replay attacks.


Sandboxing is the term applied to running GoAhead in a confined environment. When embedding a HTTP server in an application, the profile of client access is often well known. This profile includes the rate of accesses, the length of URLs and the size of pages returned to the user.

GoAhead has a set of build time configuration options that allow you to define a sandbox which specifies how GoAhead must be used for a request to be serviced. By using well defined sandbox directives, you can help ensure that your application will not be compromised by malicious requests.

Limit Directives

The limit directives are defined in which is used by MakeMe when configuring GoAhead and generating the bit.h header that is included by GoAhead source code.

limitBuffer General I/O buffer size
limitFilename Maximum filename size
limitHeader Maximum size of the request header
limitNumHeaders Maximum number of header lines in the request
limitParseTimeout Maximum time to parse the request headers
limitPassword Maximum size of a password
limitPost Maximum size of the incoming POST request body
limitPut Maximum size of the incoming PUT request body
limitSessionLife Default session lifespan in seconds
limitSessionCount Maximum number of sessions
limitString Default string size
limitTimeout Request inactivity timeout in seconds
limitUri Maximum URI size
limitUpload Maximum size of a file upload request

© Embedthis Software. All rights reserved.