Sawtooth Software: The Survey Software of Choice

You are responsible for securing your web server.

Here are a few items to consider:

  • Make sure that *.cgi files (including the password and setup files) are not visible to the world. The server needs to be configured so that it will not permit a browser to display the contents of *.cgi files. One way to do this is to configure your server such that *.cgi files are treated the same as *.pl files. If you are using the Apache web server then the following needs to be added to the Apache configuration file:  

    AddHandler cgi-script .pl
    AddHandler cgi-script .cgi 

    These lines tell the web server to treat all *.pl and *.cgi files as cgi scripts. SSI Web's *.pl files are cgi scripts. The *.cgi files are configration files. Configuring these as cgi scripts prevents web users from seeing their contents. If you do not have access to the Apache configuration file then you can try placing the above commands in a .htaccess file. 

    Make sure that you cannot use a browser to open the file containing your Admin Module passwords (STUDYNAME_config.cgi). For example, you should not be able to view the contents of the STUDYNAME_config.cgi file if you paste an address similar to the one below (using the URL specific to your study) into your browser's address bar:

    Seeing an error message on the screen is the correct result if attempting to access the *.cgi file via a web browser. You should not see the contents of that file.

  • The server needs to be configured so that server directory listings are not visible to the world. If you are using an Apache web server add this line to the configuration file: 

    Options -Indexes 

    Make sure that if you paste the URL to the "admin" folder into your browser's address bar, you are not able to see any file names. For example if you go to (using the URL specific to your study):

    You should see either a blank page or an error page. You should not see a listing of all of the files and folders in the admin folder.