How to maximize security
Use the following steps to maximize security in the AXS Visitor Tracking System:
Configure your admin module with a username and password. Use a username and password for AXS that differ from all your other credentials. Use a password that is very hard to guess by including a mixture of letters, numbers, and punctuation.
If possible, layer additional server-specific security settings onto your ax-admin file. This could be done by applying Apache-style password protection, for example (see Securing ax-admin with .htaccess security). The AXS built-in password-protection is not very secure, and so adding additional security layers is a good idea.
From the ax-admin page, do not click on links. If you do, the remote site that is linked will learn the location of your ax-admin page, and may "backtrack" to visit your page. Not clicking on links is particularly important if you have not password-locked your ax-admin page.
Instead of directly clicking on links, in most cases you can use the context menu to copy of the link location, and then open a new browser window and paste the link in. That will keep the location of your ax-admin script safe.
Store your data files in a secure folder that isn't accessible from the web. For instructions on how to do this, see Security: Changing the location of the data files.
In the ax.pl/ax.cgi and ax-admin.pl/ax-admin.cgi scripts, there is a variable named
$AllowDebug. When this variable is set to 1, as it is by default, any visitor to those scripts can use the ?debugme query string to get the scripts will print out all of their environment variables and some other system information. An example of such output is http://www.xav.com/perl/ax.pl?debugme.
This information can be helpful when setting up the scripts, and it is also useful to anyone who wants to learn more about your web server. To prevent anonymous visitors from having access to this information, edit the source code and set:
$AllowDebug = 0;
Note that the debug output may be still shown if there is a file access error - like unable to read "log.txt" - but with this variable set to 0, the debug output will no longer be available on demand.
"How to maximize security" https://www.xav.com/scripts/axs/help/1508.html