CERN, home of the World Wide Web, provides a plethora of informative websites to the world. Besides the CERN central web services like CDS, EDMS, Indico and Zenodo, there are the central Drupal, SharePoint and WordPress services with more-or-less moderated content, and the DFS and OpenShift services hosting more than 10 000 different individual websites containing even more information about CERN, projects and plans, systems and services, technologies and implementation, conferences and meetings, work and proceedings, personal achievements and success stories, etc. While there are many beautiful jewels among those 10 000 websites, there are also plenty of eyesores. Totally empty websites. Broken ones giving error codes. Test sites. Sites stating just "Hello World!". Abandoned websites. Orphaned ones. And many that have not seen any internet visit for a very long time. Still, they are part of and constitute the CERN web sphere…
It is not just that such abandoned or erroneous websites are not beautiful or useful or that they leave a negative impression of our Organization. They are also crawled and indexed by search engines and for training AI models (the new kid on the block). Some are mirrored and thus make it into the annals of the infinitely deep memory of the internet. Is this the image that CERN wants to convey? Or should we get a makeover? Some beautification?
Security-wise, abandoned, empty and broken websites pose a risk in and of themselves. Just as abandoned cars or houses with broken windows in certain neighbourhoods invite more destruction and incite crime - the so-called "broken windows theory" − broken websites invite attackers and script kiddies to poke deeper (read also our "Digital Broken Windows Theory" article on that). They are looking for vulnerabilities or searching for confidential data, either of which might surface due to the unmaintained nature of the website, overly verbose error messages, default landing pages disclosing internal information, an unprotected folder structure or involuntarily exposed hidden functions. Nothing beautiful here…
We can do better. Let's show our more beautiful side. Put our best foot forward. Change into our glad rags. And smarten up our web presence. Just a bit. Not to an extreme. Just making sure that any website that is hosted at CERN and visible to the internet…
- has an owner, that no one is left behind, that orphaned websites find a new home, and that outdated and old websites are purged for good. Nobody is really interested anymore in the "ABI - 1973 - Eichendorff Gymnasium Koblenz", or are they?
- provides some legible and reasonable information (and not a "Hello World!" or "Stefan was here.") on first contact and has a good landing page, even if there was no intention to have anybody browse to it (on the other hand, IP-to-name "DNS" resolutions, automatic scanners and web searches might still find them);
- redirects, alternatively, to "home.cern" or the corresponding department, group, section or service;
- is functional, maintained and up to date;
- catches any possible error, in particular when that website hosts dynamic content, and expresses those errors in a clear but brief way;
- does not expose any debugging or trace information;
- employs the CERN Single Sign-On instead of providing a local login that is liable to be exploited; and
- takes advantage of CERNBox, EOS or xroot/xrdcp instead of directly exposing files in an unformatted directory tree.
The Security Principles for Web Applications, established and approved by the CERN-wide Computer Security Board, are intended to provide more (technical) guidance. While adherence to the principles is already mandatory, the Computer Security Office is planning to step up their enforcement during 2026 with the intention of catching blunders and misconfigurations and improving the security posture of our web presence - to make it a bit more beautiful than before.
Thanks a lot for helping us with that!
