In search of modern methods and tools that allow us to assert with at least some degree of certainty that the website is protected from future hacker attacks (No one has any doubts that everyone will have them? And if they have not already , then it's only a matter of time), recommendations were found, which we will consider in this article.
This is a small but important list of specific actions that everyone should do with their web resource, if the company's reputation, security of web resources and customer data are not just empty words for you.
There are several main ways to protect your site:
- provide protection against DDoS attacks;
- connect an SSL certificate;
- use reliable hosting;
- use secure plugins / libraries / frameworks / CMS (hereinafter referred to as "third-party modules");
- apply existing techniques to protect against SQL injection and XSS attacks;
- provide website logging and monitoring of security events;
- make regular backups of the website and all important data;
- use strong and complex passwords, as well as brute-force protection;
- if there is an administrative panel with which the content of the website is managed, it is necessary to change the default login address and ensure access control.
Reliable hosting and SSL
So, let's start with the fact that in our arsenal we have a reliable server or virtual hosting, the administration of which will remain outside the scope of this article. As for connecting an SSL certificate, this is a mandatory measure and even comments are unnecessary here.
DDoS protection
If your hosting provider provides protection against DDoS attacks or you use anti-DDoS services, then this question can be considered closed, but why not strengthen the protection and organize it yourself, which is undoubtedly a time-consuming task and implies the simultaneous using the following techniques: if Apache is used as a web server, then you need to put a caching proxy in front of it - Nginx or Lighttpd, and it is better to use Nginx on the frontend, but with several add-ons (limit the sizes of buffers and connections in Nginx, set timeouts, etc. like; use the testcookie-nginx module; use URL filtering and send a non-standard 444 code that allows you to close the connection and not give anything back); in some cases, use geographic blocking; automate the process of analyzing website logs, paying particular attention to traffic volume, server response time, number of errors and number of requests per second.
Third party module security
As for the recommendation related to the use of secure third-party modules in their applications, this topic is perhaps one of the most important, because most malicious attacks occur through third-party modules. The point of this clause is to use frameworks and libraries with built-in security functions that will help developers minimize the emergence of vulnerabilities during implementation. I would like to highlight more detailed recommendations regarding this point: use third-party modules from trusted sources that are supported by the community and are actively developed; keep up to date a list of all third-party modules; use only the functionality that is required within your application.
SQL injection and XSS attacks
The recommendation regarding protection against SQL injection and XSS attacks requires the most detailed explanation, because the attackers are targeting specific data from the database (SQL injection) and user data (XSS attack). It should also be understood that the issues related to SQL injection cover an extensive section on ensuring secure access to all data stores, including relational and NoSQL databases, and include query security issues (it is necessary to avoid illegitimate input data in SQL commands and the best solution is to use parameterized queries that can be applied to SQL / OQL constructs and stored procedures), configuration (you need to make sure that the existing security tools of the DBMS and the platform on which it is installed are configured correctly), authentication (must be performed over a secure channel ) and connections (due to the existence of several ways of interacting with the database (through a service or API), it is necessary to ensure the security of connections using encryption and authentication).
With regard to a cross-site scripting (XSS) attack, in this case, the consequences of moderate severity can be caused by reflected XSS or XSS based on the document object model (DOM), and cross-site execution of stored scripts with code execution in the user's browser can cause serious consequences. with the aim of stealing credentials, hijacking sessions or installing malicious software. The main protection measure in this case is escaping (adding certain combinations of characters before characters or strings to prevent their incorrect interpretation), encoding data (converting certain characters into combinations of characters that do not pose a threat to the interpreter) on the server side and using a set of HTTP headers , in particular, Set-Cookie with HttpOnly and Secure parameters, and X-XSS-Protection with a value of 1.
A common security measure used to prevent SQL injection and cross-site scripting is to validate all input against syntactic and semantic norms. The syntactic norm should be understood as the full compliance of the input data with the expected form of presentation, and the semantic norm indicates that the input data does not go beyond the limits of a particular functional.
Logging and monitoring
The recommendation related to logging all events and monitoring security events has already been mentioned when considering methods of protection against DDoS attacks, but in this case the broader side of the issue is considered, related to detecting and counteracting attacks, as well as investigating security incidents that have already occurred. Therefore, in addition to the standard logging tools provided by the web server, you need to ensure that the event time and user ID are recorded, as well as potentially harmful activity specific to your website. In case of detection of malicious activity, your application should block the user session or block by IP address, in general, take action and inform the administrator about it. Here we are already talking about tools such as WAF or IDS / IPS.
Backups
Regarding regular backups of the website and all data, here you need to think about where and how this data is stored. An effective way is to encrypt critical data storages and backups, as well as store backup files not on the file system, but in another place, which is safe in no doubt and which will always be at hand for quick deployment.
12345 or qwerty?
A recommendation for using strong and complex passwords not only and not so much about passwords, but about authentication and user session management in general. There are three levels of authentication and the use of only passwords refers only to the first - the simplest level (the second is multifactor authentication; the third is encryption-based authentication). However, even here there are a number of requirements for the passwords themselves, the password recovery mechanism, and also for the secure storage of passwords. Session management allows you to control the state of user authentication to work with a website without re-authentication. Sessions also have creation and completion requirements.
Administrative panel protection
The final recommendation is to protect the administrative panel of the website, because it is one of the weak points in the overall system due to the extensive functionality associated with adding / editing posts and pages, working with files and much more. Therefore, an important condition is to ensure proper access control, as well as maximum concealment from intruders of the location of the administrative panel, implemented by simply transferring the address to a non-standard one and maximum protection of this entry point through brute force protection, filtering by IP addresses, etc. When creating an access control system, the following principles should be adhered to: sending all requests through the access control system; Deny access by default (i.e., reject a request unless it was specifically allowed); minimum privileges for all users, programs or processes; refusal to use the role-based access control model, which is hard-coded; registration of all events related to access control.
Conclusion
This review article discusses some of the techniques to improve the security of your website. Each individual recommendation deserves a separate consideration, but even with such a brief review, one thing remains clear - the approach to ensuring security must be comprehensive and systemic, and it does not tolerate condescension. You need to be careful about access control, keep existing third-party modules up to date, filter input data, and much more. Anything to add? Be sure to share in the comments.