WorldServer: How can I change the WorldServer options to increase security?

How to can I configure WorldServer to increase security?

There are a number of properties that need to be explicitly set by altering some of the values in your general.properties file.
The recommended settings to deliver the highest level of security are the following:
 
•             use_secure_urls=true
              (Uses a lengthened token string, rather than just digits)

•             session_client_check=on
              (Prevents the session token being shared between browsers/users – i.e. By users copying & pasting URLs)

•             enable_xss_protection=true
              (Prevents cross-site-scripting)

•             password_autocomplete=off
              (Prevents users saving / autocompleting passwords in the web browser)

•             allow_credentials_in_url=false
              (Prevents username & password being passed as query-string arguments)

•             illegal.upload.extension=exe|com|bat|vbs
              (Prevents users uploading potentially dangerous executable code into AIS)

•             use_http_only_cookies=true

•             show_stacktrace=false
              (Prevents a stack trace being shown to the user in the event of an error, which could aid a would-be attacker)
 
Since these settings are deviations from the application defaults, you should follow the instructions here to achieve an upgrade-proof configuration.

Note that you should change these settings in all of the general.properties files, including those in the WS_CONFIG subfolders.

As with any browser-based application, website security features are very high on the list of non-functional requirements for SDL WorldServer. There is a variety of differing attack vectors that malicious users or others could exploit, but there are a number of ways to reduce or eliminate any potential risk.