Web Site Security Tips

When developing web sites it’s a good practice to address security from the start.  Here are some basic security tips that I find many sites overlook.

1. Use different passwords for your server, database, FTP and other logins.  I am often surprised to find many sites that use the same admin password for all their systems or use the same default password without forcing a password change.
2. Use strong passwords.  Passwords like “password” or “password123” are apparently very easy to figure out.
3. Change your password regularly.
4. Make sure your chosen data access method protects against SQL injection attacks.  ORMs and other database libraries have made it easier to protect against SQL injection attacks, but I still often come across web site code that use plain string concatenation to construct SQL queries.
5. Validate your form data both on the client and server side.  I often come across sites that only validate on the client side using Javascript.  Turn javascript off for a site that does not validate data on the server side and you might have some fun seeing your form input go through as if it’s fine or have the server spit back nice exception messages.
6. Validate all query string inputs.  Similar to form inputs your query string inputs should also be validated on the server side.
7. If your site hosts any sensitive information consider using SSL.
8. Configure your server to return a generic error page instead of a detailed error message.  Detailed error messages not only look bad, they often give users information about your server and code.
9. Encrypt user passwords and do not send users their passwords.  Instead use a form of password reset that does not involve sending users their passwords.
10. Encrypt server passwords in configuration files on the server.  Especially if you host your site on a 3rd party host, there is no way to know who is looking at your configuration files.
11. Configure your server so that your web site directories and files are not writable.  If you allow user uploads to your site make sure you configure security so that only valid files can be uploaded.  Ideally your upload directory should not be placed in your web site directories.  If it needs to be then make sure files in that directory are not executable.
12. Make sure to run your production site using production settings.  Turn off any “debug” mode settings.  Leaving “debug” settings on not only makes a site perform slower, it leaves it open to someone who wants to gather information about your site.
13. When publishing your site make sure that only necessary files get published.  Don’t publish files generated by your source control or your IDE.  Make sure you are not publishing files such as database scripts and schemas or development documents and backup files.  Renaming unused files as “.old” is not a good practice.
14. Turn off directory browsing
15. Configure your server to serve only the files you want it to serve and limit its ability to handling only the server technology of your choice.  For example, if your site only has html pages in it don’t enable php.

These are not all the security issues sites should be aware of, but these are some of the most overlooked issues based on my experience.  Not all sites will be able to to implement every security solution and no site is 100% safe.  The main idea is to keep the surface area of attack as small as possible.  It’s not fun if your site gets compromised. Keep security in mind so you can have fun building apps!