Skip to main content

How do I secure my website?

In search of modern methods and tools that allow us to assert with at least some degree of certainty that the website is protected from future hacker attacks (No one has any doubts that everyone will have them? And if they have not already , then it's only a matter of time), recommendations were found, which we will consider in this article.

This is a small but important list of specific actions that everyone should do with their web resource, if the company's reputation, security of web resources and customer data are not just empty words for you.

There are several main ways to protect your site:

  • provide protection against DDoS attacks;
  • connect an SSL certificate;
  • use reliable hosting;
  • use secure plugins / libraries / frameworks / CMS (hereinafter referred to as "third-party modules");
  • apply existing techniques to protect against SQL injection and XSS attacks;
  • provide website logging and monitoring of security events;
  • make regular backups of the website and all important data;
  • use strong and complex passwords, as well as brute-force protection;
  • if there is an administrative panel with which the content of the website is managed, it is necessary to change the default login address and ensure access control.
Naturally, each point has its own "but" and a number of sub-points that should be focused on. They can also be divided into subgroups based on the following considerations: some actions require a one-time connection, setup and rare health checks (setting up hosting and SSL certificate), while others imply constant checks, updates and require close attention (everything else).

Reliable hosting and SSL

So, let's start with the fact that in our arsenal we have a reliable server or virtual hosting, the administration of which will remain outside the scope of this article. As for connecting an SSL certificate, this is a mandatory measure and even comments are unnecessary here.

DDoS protection

If your hosting provider provides protection against DDoS attacks or you use anti-DDoS services, then this question can be considered closed, but why not strengthen the protection and organize it yourself, which is undoubtedly a time-consuming task and implies the simultaneous using the following techniques: if Apache is used as a web server, then you need to put a caching proxy in front of it - Nginx or Lighttpd, and it is better to use Nginx on the frontend, but with several add-ons (limit the sizes of buffers and connections in Nginx, set timeouts, etc. like; use the testcookie-nginx module; use URL filtering and send a non-standard 444 code that allows you to close the connection and not give anything back); in some cases, use geographic blocking; automate the process of analyzing website logs, paying particular attention to traffic volume, server response time, number of errors and number of requests per second.

Third party module security

As for the recommendation related to the use of secure third-party modules in their applications, this topic is perhaps one of the most important, because most malicious attacks occur through third-party modules. The point of this clause is to use frameworks and libraries with built-in security functions that will help developers minimize the emergence of vulnerabilities during implementation. I would like to highlight more detailed recommendations regarding this point: use third-party modules from trusted sources that are supported by the community and are actively developed; keep up to date a list of all third-party modules; use only the functionality that is required within your application.

SQL injection and XSS attacks

The recommendation regarding protection against SQL injection and XSS attacks requires the most detailed explanation, because the attackers are targeting specific data from the database (SQL injection) and user data (XSS attack). It should also be understood that the issues related to SQL injection cover an extensive section on ensuring secure access to all data stores, including relational and NoSQL databases, and include query security issues (it is necessary to avoid illegitimate input data in SQL commands and the best solution is to use parameterized queries that can be applied to SQL / OQL constructs and stored procedures), configuration (you need to make sure that the existing security tools of the DBMS and the platform on which it is installed are configured correctly), authentication (must be performed over a secure channel ) and connections (due to the existence of several ways of interacting with the database (through a service or API), it is necessary to ensure the security of connections using encryption and authentication).

With regard to a cross-site scripting (XSS) attack, in this case, the consequences of moderate severity can be caused by reflected XSS or XSS based on the document object model (DOM), and cross-site execution of stored scripts with code execution in the user's browser can cause serious consequences. with the aim of stealing credentials, hijacking sessions or installing malicious software. The main protection measure in this case is escaping (adding certain combinations of characters before characters or strings to prevent their incorrect interpretation), encoding data (converting certain characters into combinations of characters that do not pose a threat to the interpreter) on the server side and using a set of HTTP headers , in particular, Set-Cookie with HttpOnly and Secure parameters, and X-XSS-Protection with a value of 1.

A common security measure used to prevent SQL injection and cross-site scripting is to validate all input against syntactic and semantic norms. The syntactic norm should be understood as the full compliance of the input data with the expected form of presentation, and the semantic norm indicates that the input data does not go beyond the limits of a particular functional.

Logging and monitoring

The recommendation related to logging all events and monitoring security events has already been mentioned when considering methods of protection against DDoS attacks, but in this case the broader side of the issue is considered, related to detecting and counteracting attacks, as well as investigating security incidents that have already occurred. Therefore, in addition to the standard logging tools provided by the web server, you need to ensure that the event time and user ID are recorded, as well as potentially harmful activity specific to your website. In case of detection of malicious activity, your application should block the user session or block by IP address, in general, take action and inform the administrator about it. Here we are already talking about tools such as WAF or IDS / IPS.

Backups

Regarding regular backups of the website and all data, here you need to think about where and how this data is stored. An effective way is to encrypt critical data storages and backups, as well as store backup files not on the file system, but in another place, which is safe in no doubt and which will always be at hand for quick deployment.

12345 or qwerty?

A recommendation for using strong and complex passwords not only and not so much about passwords, but about authentication and user session management in general. There are three levels of authentication and the use of only passwords refers only to the first - the simplest level (the second is multifactor authentication; the third is encryption-based authentication). However, even here there are a number of requirements for the passwords themselves, the password recovery mechanism, and also for the secure storage of passwords. Session management allows you to control the state of user authentication to work with a website without re-authentication. Sessions also have creation and completion requirements.

Administrative panel protection

The final recommendation is to protect the administrative panel of the website, because it is one of the weak points in the overall system due to the extensive functionality associated with adding / editing posts and pages, working with files and much more. Therefore, an important condition is to ensure proper access control, as well as maximum concealment from intruders of the location of the administrative panel, implemented by simply transferring the address to a non-standard one and maximum protection of this entry point through brute force protection, filtering by IP addresses, etc. When creating an access control system, the following principles should be adhered to: sending all requests through the access control system; Deny access by default (i.e., reject a request unless it was specifically allowed); minimum privileges for all users, programs or processes; refusal to use the role-based access control model, which is hard-coded; registration of all events related to access control.

Conclusion

This review article discusses some of the techniques to improve the security of your website. Each individual recommendation deserves a separate consideration, but even with such a brief review, one thing remains clear - the approach to ensuring security must be comprehensive and systemic, and it does not tolerate condescension. You need to be careful about access control, keep existing third-party modules up to date, filter input data, and much more. Anything to add? Be sure to share in the comments.

Popular posts from this blog

The Slowest Programming Languages

Today, there are about 700 well-known programming languages ​ ​ in the world, while only 250 are used. If a task could be measured in days earlier, it is now a fraction of a second. Here are some of the slowest dynamic typing programming languages. In electronics, speed and performance depend on the number of transistors that a particular chip can have. According to Moore's law, their number doubles every two years. This is why a modern hand-sized mobile phone is much faster than a room-sized supercomputer of the 90s. When it comes to computer science, the difference between faster code and a faster PC is quite bike. Intel and AMD create powerful computing systems in terms of speed. The task of programmers is to write reliable and fast programs. One of the things to consider when creating software is programming languages . Each of them is implemented in different ways, therefore it has its own merits. And speed may simply not be among them. If you need to create a program for comp...

How to succeed in IT if you are not a programmer

There is a statement that only mathematicians are taken in IT. Is that so? Today's world of information technology answers: no. Successful in this area is not the one who quickly thinks in his mind, but rather the one who understands human psychology, knows languages and is quite ambitious. What is the secret to success and how to develop in IT if you are not a programmer? Develop communication skills and emotional intelligence Language, successful communication, the ability to "see and hear" the interlocutor are basic factors for those who want to succeed in IT. Linguistic inclinations are known to be more important for learning programming languages ​ ​ and understanding code than mathematics. That is, languages ​ ​ are a factor that allows ordinary people to develop in IT. The ability to find a common language and establish the necessary connections, easily communicate, the ability to feel and understand a colleague, subordinate, partner and client is something that is...