Guidelines for securing public web servers

Web servers publish information publicly over the internet that can be accessed by a computer user through web browsers for information and data that the user needs.

Web servers can often be cyber-attack targets through many different direct and indirect methods, including malware, phishing, or misdirection of a user to an invalid website that looks to be legitimate.

Companies and organizations need to have strong web security measures in place to secure the web server(s) they operate and maintain.

Web server security

Companies and organizations need to regularly assess their security needs and identify areas of potential web server security risks. Companies must develop a written organizational plan for their security policies and security measures. The plan might include, but not be limited to the following:

  • Web server configuration and change controls/management policies:
    • Frequency of needed patches and upgrades to the operating system
    • Setting limitations of applications and services
    • Details of user authentication configurations
    • Any additional security measures specific to the company
    • Frequency of routine security testing
  • Security awareness and training for all employees
  • Contingency planning and response plans for any potential server breach
  • Controls and limitations for information that can be published on the web

To help assure overall web server security, an organization’s web server administrator should configure all new servers to meet the company’s specific identified security needs and should not rely on default manufacturer’s settings.

Securing a web server requires ongoing review and updates, including:

  • Overall system configuration and analysis of important data and files
  • Regular backups of critical information and data
  • Procedures for recovering from any potential data breach
  • Routinely testing and installing software patches, as needed
  • Routinely testing overall security measures

Protecting web content

Information on public websites is obviously intended for public use. But it is important to ensure this public information cannot be accessed or changed without proper authorization. Some controls may include, but not be limited to:

  • Limiting applications and services
  • Installing a host-based intrusion detection system or a prevention system to help detect any intrusions.
  • Using user-authentication controls
  • Continuous review and updates to network infrastructure that supports the web server, including firewalls, routers, etc.

Additional information

Further information and details regarding public web server security can be found through the U.S. Department of Commerce, Department of National Institute of Standards and Technology: NIST SP 800-44 Version 2, Guidelines on Securing Public Web Servers.


This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you. The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.


LC 2022-229