How to set up a secure web server

Katie Chadd 18 Aug 2020

Improving security on web servers is vital to protect against hackers and data breaches

To minimize the risk of your business losing data to hacks and breaches, it’s crucial to ensure that your web server is set up as securely as possible. If your server security is compromised, it could result in anything from spam advert injections on a company website, to user data being intercepted and stolen from form submissions.

What is a secure web server?

A secure web server will generally fall into one of two categories. Most commonly, it’s a server on the public web that supports security protocols like SSL, meaning that sensitive data transmitted to and from the server is encrypted for the user’s protection. Alternatively, it can mean a web server used only by a team of employees within a local network, secured against external threats.

To maintain the security of your web servers, and keep potential threats at bay, it’s important to stay up to date with the ever-evolving security landscape. 

What security risks can a web server face?

Web servers are one of the most targeted parts of an organization’s network, because of the sensitive data that they typically host. As a result, it’s important that as well as securing web applications and your wider network, you take thorough measures to secure the web servers themselves.

There are several key threats to web servers that are important to be aware of, to prevent and mitigate those risks. These include, but are not limited to:

  • DoS and DDoS Attacks
    Denial of Service attacks and Distributed Denial of Service attacks are techniques cybercriminals will use to overwhelm your servers with traffic until they become unresponsive, rendering your website or network unusable.

  • SQL Injections
    SQL injections can be used to attack websites and web apps, by sending Structured Query Language requests through web forms to create, read, update, alter or delete data stored in your servers, such as financial information.

  • Unpatched software
    Software updates and security patches are designed to fix vulnerabilities in older versions of that software. However, once a new patch is released, would-be hackers can reverse-engineer attacks based on the changes, leaving unpatched versions in a vulnerable position. It’s why we recommend using a trusted patch management service to make sure you’re always up-to-date.

  • Cross-site scripting
    Cross-site scripting, also known as XSS, is a technique similar to an SQL injection - code is injected into server-side scripts to gather sensitive data or to execute malicious client-side scripts.

However, one of the most prevalent threats to server security is human error or carelessness. Whether it’s poorly-written code, easy-to-guess passwords, or a failure to install and update firewalls and other security software, the human element in cybersecurity is typically the weakest link. 

You should also consider the physical security of the computers that are acting as your web servers: no matter what security software you use, it could be undermined if physical access to your servers isn’t properly controlled.

What types of web servers are available?

Some of the most popular options for web server software include Apache, LiteSpeed, IIS, Nginx, and Lighttpd. It’s also possible to use ‘virtual servers’, or virtual web hosting services, to run multiple servers from a single computer.

Different types of web server will meet different user needs, but all are typically compatible with major operating systems such as Linux, Windows, and macOS. 

Apache Web Server 

Apache is open-source and, with a 37.4% share of the market (June 2020), is generally regarded as the most popular web server in the world.  It supports Linux, Unix, Windows, Mac OS X, Ubuntu, and other operating systems, and can be easily customized thanks to its modular structure. 

Apache is highly stable compared to other web servers.

Nginx Web Server

Nginx is another open-source solution, known for high performance, stability, low resource usage, and highly scalable event-driven architecture. Compatible with most major operating systems, Nginx can also be used as a reverse proxy, mail proxy, HTTP cache, and load balancer.


A key benefit of Lighttpd is its small CPU load and speed optimization. With an event-driven architecture similar to that of Nginx, Lighttpd is designed to manage a large number of parallel connections and can support features such as Output-compression, FastCGI, Auth, SCGI and URL-rewriting among other things. 

Virtual web servers

If you need to manage multiple web domains, it can be more efficient to do this from one machine via virtual web servers, rather than having a dedicated, separate server for each. Virtual servers, or virtual web hosting, can be cost-effective and generally does not impact site performance. However, if too many virtual servers are housed on the same computer, it can lead to web pages being delivered more slowly.

What is the difference between network security and server security?

Server security is just one part of a broader, holistic network security strategy. Whereas server security refers specifically to the measures taken to protect your web servers and the data they process, network security also includes things like firewalls and antivirus software to protect other parts of the network.

Employee laptops, smartphones, and other internet-connected devices are all parts of your network that should be secured against threats. Phishing emails, spoof websites, and malicious applications are just a few of the risks, which is why it’s important to use comprehensive endpoint protection in addition to web server security. This encompasses perimeter security, such as firewalls, as well as software that prevents potential threats from entering your network undetected. 

How to secure your web server

To set up a secure new web server, or improve the security of your business’s existing web servers, there are several simple steps you can take.

  • Remove unnecessary services
    Default operating systems and configurations lack comprehensive security. Generally speaking, there are many network services included in a default installation that won’t be used, from remote registry services to print server service and other features.

    The more services you have running on your server operating system, the more ports are left open – meaning more doors into the network that a malicious hacker could exploit. As well as helping with security, removing unnecessary services can also boost your server performance.

  • Create separate environments for development, testing, and production
    Developing and testing are often done on production servers, which is why you may sometimes come across websites or pages online that feature details like /new/ or /test/ in the URL. Web applications that are in their early development stages will often have security vulnerabilities and can be exploited using freely available online tools.

    You can help to minimize the risk of a breach by keeping development and testing to servers isolated from the public internet, and not connecting them to important data and databases.

  • Set permissions and privileges
    Network service permissions, and file permissions, play a crucial role in your network security. If your web server is compromised through network service software, the bad actor can use whichever account the network service is running to carry out tasks. Because of this, the simple act of setting minimum privileges for users to access web app files and back end databases can be instrumental in preventing loss or manipulation of data.

  • Keep patches up to date
    As mentioned earlier in this article, failure to keep software up to date with the latest patches can allow cybercriminals to reverse-engineer pathways into your network.

  • Segregate and monitor server logs
    As part of your regular security testing, store your server logs in segregation, and monitor and check them frequently. Unusual log file entries reveal information about attempted and successful attacks and should be investigated as and when they arise.

  • Install a firewall
    Software-based firewalls are easy to set up and manage and will protect your web servers from unauthorized communication and intrusions.

  • Automate backups
    Making regular server backups ensures that if your security defenses are compromised, you can recover and restore data quickly. Automation can improve efficiency, but an IT employee should check for issues that may have interrupted the process.

Server security software

Your business’s cybersecurity is only as strong as its weakest link. Along with regular training for system administrators and IT professionals to ensure knowledge is up to date with the latest threats, all entry points into your network must be protected and secured with professional endpoint protection.

Learn how Avast Business endpoint protection can help defend your business against malware, data breaches and advanced attacks. 

--> -->