When developing web sites it’s a good practice to address security from the start. Here are some basic security tips that I find many sites overlook.
These are not all the security issues sites should be aware of, but these are some of the most overlooked issues based on my experience. Not all sites will be able to to implement every security solution and no site is 100% safe. The main idea is to keep the surface area of attack as small as possible. It’s not fun if your site gets compromised. Keep security in mind so you can have fun building apps!
Comment
That's a cool tip Anže. Thanks!
Good tips.
There was one really good tip mentioned at one of aloha.rb meetups. Use passwords (for DB, S3, etc.) access in code as environment variables (or other external way) since code is many times version through central version control repository (e.g., GitHub). This way you're not checking-out all your production passwords to machines that don't need them (e.g., new web development intern).
@Daniel: Nice tips. I also like to change default SSH port to something higher (e.g., 44322)
Those are great tips and advice Daniel. Those are all issues that I often see being overlooked.
In addition, everyone should salt password hashes when storing them in the database. LinkedIn's user passwords got compromised b/c they didn't salt.
Also I advise not to use FTP (and telnet) unless you're completely isolated in a private intranet. Instead use SFTP because your credentials are encrypted. When using FTP, credentials are sent in plain text.
Lastly, configure ACL's as tightly as possible. For typical web servers, the only ports that should be open are 22(SSH), 80(HTTP), and 443(HTTPS).
That is a good tip Joseph. It's common to find servers that have never been updated and this definitely leaves many sites with open against known security exploits.
All good tips... should also add stay on top of security updates and patches for your full stack including but not limited to the application server, database server, web framework, programming language, and OS.
© 2023 Created by Daniel Leuck.
Powered by
You need to be a member of TechHui to add comments!
Join TechHui