Security tips to protect your website. You may not think that your site deserves to be hacked, but websites are compromised all the time. Most security breaches of the website are not to steal your data or tamper with you, but instead to use your server as a relay for spam, or to set up a temporary web server, To submit illegal files, or to my bitcoins. You may even be exposed to ransomware.
Bad guys are spread all over to cause damage and at this point, we should take protection as well to stay safe. Today I will tell you a few security tips based on my experience. If you find this helpful, please consider alike. It motivates me to create more. So anyway, let’s dive into it.
1. Do penetration testing:
Doing pentesting plays another important role in terms of security. There is a handful of open sources available out there to help you. If you are running Linux I previously wrote a blog about how to get kali tools on ubuntu based distros, you can follow that to get those tools. There is something called RapidScan.You can use it to scan your site for vulnerabilities.
2. Keep software up to date:
It may seem obvious, but ensuring you keep all software up to date is vital. This applies to both the server operating system and any software you may be running on your websites such as a CMS or forum. When website security holes are found in software, people are quick to attempt to abuse them. This applies to dependencies as well.
3. Sanitize/Validate user inputs:
When syncing your inputs with the server, before sending the raw data sanitize or validate user input. Let me give you an example, so let’s say you take text input and then add that as a comment to that page. If it’s basically just like that without validation/verification or so then users can post raw HTML snippets, so sanitize it, remove stuff that is unnecessary.
4. Watch out for SQL injection:
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database via SQL statements. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement.
Consider this query:
"SELECT * FROM table WHERE column = '" + parameter + "';"
If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to look like this:
"SELECT * FROM table WHERE column = '' OR '1'='1';"
Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.
You could fix this query by explicitly parameterizing it. For example, if you’re using MySQLi in PHP this should become:
$stmt = $pdo->prepare('SELECT * FROM table WHERE column = :value');
$stmt->execute(array('value' => $parameter));
5. Protect against XSS:
XSS is commonly known as cross-site scripting. This attack injects malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. You need to ensure that users cannot inject active JavaScript content into your pages. The case here is kind of similar to SQL injection btw. The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other than what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions that explicitly make the changes you’re looking for (e.g. use element.setAttribute and element.textContent, which will be automatically escaped by the browser, rather than setting element.innerHTML by hand), or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.
6. Validate on both sites:
Validation should always be done both on the client and the server. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers-only field. These can however be bypassed, and you should make sure you check for this validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.
7. Beware of Error messages and console logs:
Logging all the necessary info and error is great for development but make sure it doesn’t get shipped to production!! Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
8. Use HTTPS:
HTTPS is a protocol used to provide security over the Internet. HTTPS ensures that users are talking to the server they expect and that nobody else can intercept or change the content they’re seeing in transit.
I hope you have to know the important tips to secure your website from bad men.