7 Ways to Improve Your Website's Security

By: JT Gabriel  | 12/12/2018

Maintaining proper website security is at the top of every developer's To Do list. You might be thinking, "Why would anyone want to hack my little site?", but you'd be surprised to learn that websites are compromised all the time. Here are seven simple tips to help keep your website secure.


1. Use SSL encryption

Make sure your website has an SSL certificate, and that all requests to your website are redirected to HTTPS. SSL certificates encrypt all data between the client and the server.

Sometimes, websites have an SSL certificate, but the website can still be accessed over an unencrypted HTTP. It's important to have a redirect set up to make all requests secure. Google Chrome and other browsers now warn the user that the website is not secure if the website has any data input fields and does not have an SSL certificate. You can purchase SSL certificates from numerous Certificate Authorities, but there are also free options available.


2. Passwords

If your website supports authentication, make sure that you have a strong password policy. An ideal password should be complex to protect against brute force attacks. Require all passwords to have a combination of upper and lower case letters, numbers and special characters.

After a certain number of invalid login attempts, it is a good idea to lock the user account. This limits the number of attempts a hacker has at guessing a password. Be sure that all passwords are hashed and never stored as plain text.

3. Validation

Ensure all data submitted through your website is validated. Validation can be performed in the client’s browser via JavaScript, and on the server once the data is submitted. Client validation provides a better experience with instant warnings and validation messages, but can be easily bypassed. That's why it is important that the same validation is performed on the server before the data saved.

If your website allows users to upload files, make sure to validate the type of file with a whitelist of allowed file types. The website should have a limit for file size as well as the length of the filename. We also recommend you scan any uploaded viruses with antivirus software.

4. Permissions

Audit your website’s permissions and active user accounts on a regular basis. It is important to take time to plan out who needs what permissions to do certain tasks. Not every user should require the same level of access. The more people that have access, the more vulnerabilities exist. Inactive user accounts should be disabled or deleted.

5. Software

It is important to keep your website’s software and servers updated on a regular basis. Software companies release hotfixes and patches regularly to address known issues.

Information on security fixes are not often in the public release notes, but can usually be found if you have a support contract or subscription. Publicizing this information would notify hackers that a vulnerability existed in previous versions of the software. Hackers are usually quick to act on known vulnerabilities before they are patched.

6. Cookies

Make sure that all important cookies that your website uses are secure. HTTP-only is a flag placed on cookies which only allows the web server to view and modify the data stored in the cookie. This prevents JavaScript from changing or viewing the cookies. Also configure the cookies to require SSL, so any data contained in the cookie is encrypted on the way between the client and the server.

7. Simple Error Messages

Make sure your website doesn’t give away too much information with its error messages. For example, on your website’s login form, don’t tell the user that the entered username doesn’t exist, or that just the password is incorrect. A simple warning that the entered username and password combination is invalid should be sufficient. Set up a generic error page to capture all unexpected errors, and never let the user see the exception details or the stack trace.

Following these relatively simple rules will help make your website safe from hackers. While nothing is foolproof, being aware of potential threats will allow you to be more vigilant when it comes to your website security. And lowering your risk is half the battle. 

Was there anything we forgot? Sound off in the comments below!


Share this

Blog post currently doesn't have any comments.
 Security code