The first thing you should do when you start designing a web site is to create an index page. You would think that this is a basic knowledge in web design, but I still encounter web sites that are lacking in this.

If there's no index page, and if the web host server has not set a directory access limitation, any visitor will see a directory listing of all the images, html pages, CGI-scripts, and other files in the directory. Everything will then be accessible for reading and downloading, and the CGI-scripts will also be executable!

So, for a basic security it is most important to have an index page in all your directories, whether they contain only pictures or garbage. In the directories that are private or containing things other then HTML pages, the index pages need only to print out a text like "access forbidden" or something in that spirit. In the directories containing one or more HTML pages, one of the pages must be named "index.html," whether it is a page with real content or for security reason.

If you have a directory specifically for CGI-scripts, it will run a higher security risk, because most of the times these directories are called CGI-bin, or a variant of that, and anyone who is after your scripts is undoubtedly familiar with this and can access the directory by typing the directory name in the targeted site's URL, if it's not properly protected by an index page. Imagine the horror when someone uses your mailing list program to Spam all your subscribers or decides to sell your email list. It's quite a big business in selling email lists. A large email list is worth thousands of US dollars nowadays.

I could have done all these things if I had any bad intentions when I accidentally bumped into an unprotected site. Actually, I bumped into two unprotected, huge subscribers lists in the last two months, which prompted me to write this article. But of course, I did the proper thing and emailed the web sites' webmasters about their oversight. You would think that these professional looking and operating web sites with email lists of respectively 8,000 and 15,000 subscribers would know better.

Even if your site is made by a web design company, make sure all your directories are protected. In fact, one of the two unfortunate web sites I uncovered is a web design company. So, check out your site for this unnecessary security gap, right now.

Article written by Lee.

http://www.webmasterconsultants.com