I've been writing python scripts that run locally. I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin.
The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed.
What I would like to know is what security precautions I should take. Here are my worries:
- What are the right file permissions for scripts called via web? 755?
- I am taking user input. How do I guarantee it is sanitized?
- I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?
- Can I install the other libraries next to the file? Do I have to worry about security of/in these as well? Do I set their permissions to 700? 744?
- Any other vulnerability I am unaware of?