27 April 2010, 08:45

A Hiawatha user has performed a security audit on the Hiawatha source code. In his opinion, 'Hiawatha seems to be doing a great job as far as secure coding'. So, that's something to be proud of. Nevertheless, there were several findings.

Many of those findings concern the usage of strcpy(). I don't agree with the security auditor that it's better to replace all strcpy()'s with strncpy() or strlcpy(). Those functions need the length of the destination buffer as a parameter. If you already know the length of the destination buffer, you can check if the source string will fit in the destination buffer. If it won't fit, you shouldn't start copying, unless you have a good reason to truncate the source string. In my opinion, the best way to safely copy strings is to make sure there is enough space in the destination buffer. Which is what I do throughout the entire Hiawatha code.

Other findings were two array indexing issues and a few memory leaks. All of them would only occur in exceptional situations, so there's nothing to worry about for the current version of Hiawatha. Nevertheless, even a very small security bug is still a security bug, so they have been fixed. Those fixes will be available in Hiawatha 7.3.

I will contact the security auditor and see what more he's willing to do to further improve Hiawatha's security.

29 April 2010, 23:30
Good job.
This article really made me moving the webserver to hiawatha on my server.
Thanks for developing the best webserver
Mike Van Der Geer
11 August 2010, 08:34
Good that you let people test Hiawatha, but who is "Hiawatha user" ?
I'm playing devil's advocate here, but why should anyone *trust* what "Hiawatha user" claims ?
Hugo Leisink
11 August 2010, 09:45
'Hiawatha user' is someone who wished to remain anonymous. Nobody tells you that you should trust what 'Hiawatha user' claims. Also, nobody tells you to trust what I'm saying about Hiawatha being secure. What I can tell you about 'Hiawatha user' is that he is in no way related to me or to Hiawatha. So, you could ask youself: "why should he be lying?". And remember that security is mainly based on trust.
19 November 2012, 16:00
I just like to add that the security of hiawatha is top notch !
i had it tested by netherlands best security proffesional and anonymous hackers and they failed compromising security. besides that i have been on severe ddos attacks and hacking and the webserver still runs without any problems (that is if i dont mess up the config lol) for me that says it all. by far this is the most secure, fastest and most intuitive webserver around.
Hugo Leisink
19 November 2012, 16:09
Willing to share who that best security professional is?
30 August 2013, 00:17
I can stand by your initial explanation. This was exactly my reasoning when i read about the general 'advisory' to use strncpy or strlcpy. It shows you're not a lazy programmer ;-)