AsiaBSDCon 2017 Secure CGI

CGI or FastCGI?

CGI or FastCGI?

Conclusions?

Internal security is more difficult for FastCGI due to application requirements. (Receiving connections for data.)

To account for this securely, applications are going to need to start an unprivileged child process after reading the HTTP request off the wire. What's the point of FastCGI if we're starting a new child anyway?

In this tutorial, we'll focus on CGI—FastCGI can be done right, but it requires a much stronger investment of resources (beyond the scope of this talk).