Maintaining proper website security is at the top of every developer's To Do list. You might be thinking, "Why would anyone want to hack my little site?", but you'd be surprised to learn that websites are compromised all the time. Here are seven simple tips to help keep your website secure.
1. Use SSL encryption
Make sure your website has an SSL certificate, and that all requests to your website are redirected to HTTPS. SSL certificates encrypt all data between the client and the server.
Sometimes, websites have an SSL certificate, but the website can still be accessed over an unencrypted HTTP. It's important to have a redirect set up to make all requests secure. Google Chrome and other browsers now warn the user that the website is not secure if the website has any data input fields and does not have an SSL certificate. You can purchase SSL certificates from numerous Certificate Authorities, but there are also free options available.
If your website supports authentication, make sure that you have a strong password policy. An ideal password should be complex to protect against brute force attacks. Require all passwords to have a combination of upper and lower case letters, numbers and special characters.
After a certain number of invalid login attempts, it is a good idea to lock the user account. This limits the number of attempts a hacker has at guessing a password. Be sure that all passwords are hashed and never stored as plain text.
If your website allows users to upload files, make sure to validate the type of file with a whitelist of allowed file types. The website should have a limit for file size as well as the length of the filename. We also recommend you scan any uploaded viruses with antivirus software.
Audit your website’s permissions and active user accounts on a regular basis. It is important to take time to plan out who needs what permissions to do certain tasks. Not every user should require the same level of access. The more people that have access, the more vulnerabilities exist. Inactive user accounts should be disabled or deleted.
It is important to keep your website’s software and servers updated on a regular basis. Software companies release hotfixes and patches regularly to address known issues.
Information on security fixes are not often in the public release notes, but can usually be found if you have a support contract or subscription. Publicizing this information would notify hackers that a vulnerability existed in previous versions of the software. Hackers are usually quick to act on known vulnerabilities before they are patched.
7. Simple Error Messages
Make sure your website doesn’t give away too much information with its error messages. For example, on your website’s login form, don’t tell the user that the entered username doesn’t exist, or that just the password is incorrect. A simple warning that the entered username and password combination is invalid should be sufficient. Set up a generic error page to capture all unexpected errors, and never let the user see the exception details or the stack trace.
Following these relatively simple rules will help make your website safe from hackers. While nothing is foolproof, being aware of potential threats will allow you to be more vigilant when it comes to your website security. And lowering your risk is half the battle.
Was there anything we forgot? Sound off in the comments below!