Security is a constant concern of Alkaline's developers. There're no known security issues or attacks against the search engine as of today. If you know of such a risk or an attack, please contact Vestris Inc. immediately.
Alkaline is a standalone server, such as Apache or IIS. It supports HTTP/1.0 and will reject any other malformed request. It is diligently tested on large queries, null queries, potential buffer overrun attacks, etc. Running a server still involves substantial risk, to protect yourself against such risks, consider several items.
You should make sure that you are not running the search engine as a privileged user. Because root (unix) or Administrator (NT) is the primary target for attackers, running the search engine under a different account dramatically reduces risks. (Note that your Apache web server is probably running as root.) Under Windows NT, you can install the Alkaline service as a special user with locked down permissions.
You should lock file permissions and remove group and public access from all files except the search templates. Version 1.4 or Alkaline will not allow access to any file which is not publicly readable. Alkaline will also not allow access to any file which is higher in the directory level from where it has been started.
Apache uses a suexec mechanism to protect unknown CGI scripts from buffer overrun exploits. This consists of running each script under a different account in a protected memory space. You can start the Alkaline Search Engine under suexec as well, thus making Alkaline at least as secure as a random CGI script. It is though still advised to create a special unprivileged account for running the search engine and avoid using suexec at all.
Alkaline does not show random data, it only produces what the search engine administrator has provided, thus making it more controllable and secure than a random web server.
Alkaline's administrative pages are password protected. The basic authentication mechanism is identical to the standard one used in Apache or other web servers. But even if a malicious user is granted access to the administrative pages, he has no way of harming the server.
You should avoid using server-side includes, an Alkaline feature that is powerful, but allows to execute random programs for template files.
Alkaline has a built-in DoS (Denial of Service ) protection mechanism. It is probably more than sufficient, but do not neglect commercial firewall products that detect various types of attacks on a packet level. Alkaline will issue a server busy message when it's queue is full and will completely stop answering queries when it's thread pool is saturated, usually because too many requests have to be processed. Alkaline will wait till the charge has dropped back to idle and restart answering queries.