Recipe 6.18 Securing WebDAV

Problem

You want to allow your users to upload and otherwise manage their web documents with WebDAV, but without exposing your server to any additional security risks.

Solution

Require authentication to use WebDAV:

<Directory "/www/htdocs/dav-test">
    Order Allow,Deny
    Deny from all
    AuthDigestFile /www/acl/.htpasswd-dav-test
    AuthDigestDomain /dav-test/
    AuthName "DAV access"
    Require
    Satisfy any
</Directory>

Discussion

Because WebDAV operations can modify your server's resources and mod_dav runs as part of the server, locations that are WebDAV-enabled need to be writable by the user specified in the server's User directive. This means that the same location is writable by any CGI scripts or other modules that run as part of the Apache server. To keep remote modification operations under control, you should enable access controls for WebDAV-enabled locations. If you use weak controls, such as user-level authentication, you should use Digest authentication rather than Basic, as shown in the Solution.

The contents of the <Directory> container could be put into a dav-test/.htaccess file, as well. Note that the authentication database (specified with the AuthDigestFile directive) is not within the server's URI space, and so it cannot be fetched with a browser nor with any WebDAV tools.

Your authentication database and .htaccess files should not be modifiable by the server user; you don't want them getting changed by your WebDAV users!

See Also

• Recipe 6.16