Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

Securing OS X’s Personal Web Sharing

I recently covered getting the Mac’s built-in web server running nicely and mentioned how switching it on also forces the firewall to open port 80, which isn’t a great idea for a standalone development server.

Assuming you’re using a setup similar to the one I described configuring, a quick’n’dirty fix to keep out prying eyes is to edit /private/etc/httpd/httpd.conf (e.g. with sudo pico /private/etc/httpd/httpd.conf ), changing all instances of

Order allow,deny
Allow from all


Order deny,allow
Deny from all
Allow from localhost

Drop into the users subfolder and do the same for each user’s .conf file, then stop and restart sharing.

Your web server will still be reachable, so it’s no substitute for a full firewall block, but external browsers will be denied access to your files (alternatively, you can alter the settings so that the web server doesn’t listen on port 80, but I wanted a fix that wouldn’t clash with Headdress, which seems to include Listen 80 in its block of settings).

You can also add a touch of extra security-through-obscurity by going into httpd.conf again and setting ServerSignature to Off, reducing the amount of information Apache gives away.


Comments are now closed for this entry.