0

We have a number of test environments that are permanently internet facing to accommodate external and automated testers with dynamic IP addresses. While we regularly check the servers for security vulnerabilities etc, we found that the servers were indexed by Google and other search engines. This led to a situation where customers were clicking on search engine links and attempting to make use of the UAT environment for business. We've put a few controls in place now to ensure this does not happen again but to avoid future errors, I was hoping there is a full standard available to say e.g.

  1. Ensure sites are not searchable by search engines by making use of Robots.txt or other meta tags
  2. Clearly mark UAT environments as different from Prod environments
  3. Etc...

Is there a standard / checklist available for this specific use case?

Joe
  • 1,214
  • 1
  • 11
  • 16

1 Answers1

1

There is no such standard. Even robots.txt is only a recommendation the bots might follow or ignore and some might even explicitly check whats behind the things they should not crawl. And test environments might actually be interesting for a potential attacker since they might have weaker security.

If you don't want others to crawl your site you need to explicitly restrict the access instead of hoping that they voluntarily don't access the site. Such explicit restrictions are done for example with authentication using username+password or client certificates or by restricting based on source IP address who can access this site. This is similar to putting a lock on the door where only few users have the key instead of just putting a sign there which kindly asks others to not open the door.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424