Hawaiʻi's Technology Community

Web Site Security Tips

When developing web sites it’s a good practice to address security from the start.  Here are some basic security tips that I find many sites overlook.

  1. Use different passwords for your server, database, FTP and other logins.  I am often surprised to find many sites that use the same admin password for all their systems or use the same default password without forcing a password change.
  2. Use strong passwords.  Passwords like “password” or “password123” are apparently very easy to figure out.
  3. Change your password regularly.
  4. Make sure your chosen data access method protects against SQL injection attacks.  ORMs and other database libraries have made it easier to protect against SQL injection attacks, but I still often come across web site code that use plain string concatenation to construct SQL queries.
  5. Validate your form data both on the client and server side.  I often come across sites that only validate on the client side using Javascript.  Turn javascript off for a site that does not validate data on the server side and you might have some fun seeing your form input go through as if it’s fine or have the server spit back nice exception messages.
  6. Validate all query string inputs.  Similar to form inputs your query string inputs should also be validated on the server side.
  7. If your site hosts any sensitive information consider using SSL.
  8. Configure your server to return a generic error page instead of a detailed error message.  Detailed error messages not only look bad, they often give users information about your server and code.
  9. Encrypt user passwords and do not send users their passwords.  Instead use a form of password reset that does not involve sending users their passwords.
  10. Encrypt server passwords in configuration files on the server.  Especially if you host your site on a 3rd party host, there is no way to know who is looking at your configuration files.
  11. Configure your server so that your web site directories and files are not writable.  If you allow user uploads to your site make sure you configure security so that only valid files can be uploaded.  Ideally your upload directory should not be placed in your web site directories.  If it needs to be then make sure files in that directory are not executable.
  12. Make sure to run your production site using production settings.  Turn off any “debug” mode settings.  Leaving “debug” settings on not only makes a site perform slower, it leaves it open to someone who wants to gather information about your site.
  13. When publishing your site make sure that only necessary files get published.  Don’t publish files generated by your source control or your IDE.  Make sure you are not publishing files such as database scripts and schemas or development documents and backup files.  Renaming unused files as “.old” is not a good practice.
  14. Turn off directory browsing
  15. Configure your server to serve only the files you want it to serve and limit its ability to handling only the server technology of your choice.  For example, if your site only has html pages in it don’t enable php.

These are not all the security issues sites should be aware of, but these are some of the most overlooked issues based on my experience.  Not all sites will be able to to implement every security solution and no site is 100% safe.  The main idea is to keep the surface area of attack as small as possible.  It’s not fun if your site gets compromised. Keep security in mind so you can have fun building apps!

Views: 195


You need to be a member of TechHui to add comments!

Join TechHui

Comment by Douglas Ching on July 18, 2012 at 9:07pm

That's a cool tip Anže.  Thanks!

Comment by Anže Žnidaršič on July 18, 2012 at 2:59pm

Good tips.

There was one really good tip mentioned at one of aloha.rb meetups. Use passwords (for DB, S3, etc.) access in code as environment variables (or other external way) since code is many times version through central version control repository (e.g., GitHub). This way you're not checking-out all your production passwords to machines that don't need them (e.g., new web development intern).

@Daniel: Nice tips. I also like to change default SSH port to something higher (e.g., 44322)

Comment by Douglas Ching on July 16, 2012 at 8:30pm

Those are great tips and advice Daniel.  Those are all issues that I often see being overlooked.

Comment by Daniel Nishimura on July 16, 2012 at 8:02pm

In addition, everyone should salt password hashes when storing them in the database.  LinkedIn's user passwords got compromised b/c they didn't salt.  

Also I advise not to use FTP (and telnet) unless you're completely isolated in a private intranet. Instead use SFTP because your credentials are encrypted.  When using FTP, credentials are sent in plain text.  

Lastly, configure ACL's as tightly as possible.  For typical web servers, the only ports that should be open are 22(SSH), 80(HTTP), and 443(HTTPS).

Comment by Douglas Ching on July 16, 2012 at 6:35am

That is a good tip Joseph.  It's common to find servers that have never been updated and this definitely leaves many sites with open against known security exploits.

Comment by Joseph Lui on July 15, 2012 at 11:38pm

All good tips... should also add stay on top of security updates and patches for your full stack including but not limited to the application server, database server, web framework, programming language, and OS.


web design, web development, localization

© 2024   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service