How to secure your website?

In search of modern methods and tools that allow us to at least with some degree of certainty claim that the website is protected from future hacker attacks (That everyone will have them, no one after all has doubts? And if there weren’t any , then this is only a matter of time), recommendations were found that we will consider in this article.

This is a small but important list of specific actions that everyone should take with their own web resource, if the company’s reputation, the security of web resources and customer data are not empty words for you.

There are several basic ways to protect your site:

• provide protection against DDoS attacks;
• connect an SSL certificate;
• use reliable hosting;
• use secure plugins / libraries / frameworks / CMS (hereinafter referred to as “third-party modules”);
• apply existing protection techniques against SQL injection and XSS attacks;
• provide website logging and security event monitoring;
• make regular backups of the website and all important data;
• Use strong and complex passwords, as well as protection against password cracking;
• if there is an administrative panel through which the content of the website is managed, it is necessary to change the standard login address and provide access control.

Naturally, each item has its own “but” and a number of sub-items on which attention should be paid. They can also be divided into subgroups based on the following considerations: some actions require a one-time connection, configuration and rare health checks (setting up a hosting and SSL certificate), while others involve constant checks, updates and require close attention (everything else).

Reliable hosting and SSL

So, to begin with, our arsenal has a reliable server or shared hosting, the administration of which will remain outside the scope of this article. As for connecting an SSL certificate, this is a mandatory measure and even comments are redundant here.

DDoS Protection

If your hosting provider provides services for protection against DDoS attacks or you use the services of anti-DDoS services, then this question can be considered closed, but why not strengthen the protection and organize it yourself, which is undoubtedly a time-consuming task and implies simultaneous using the following techniques: if Apache is used as a web server, then you need to put a caching proxy in front of it – Nginx or Lighttpd, but it is better to use Nginx on the frontend, but with several add-ons (limit the size of buffers and connections in Nginx, configure timeouts and etc .; use the testcookie-nginx module; use URL filtering and give non-standard code 444, which allows you to close the connection and not give anything back); in some cases, use geographic locking; Automate the process of analyzing website logs, paying particular attention to the amount of traffic, server response time, the number of errors and the number of requests per second.

Third Party Security

As regards the recommendation regarding the use of secure third-party modules in their applications, this topic is probably one of the most important, because most malicious attacks occur through third-party modules. The essence of this paragraph is to use frameworks and libraries with built-in security features that will help developers minimize the appearance of vulnerabilities in the implementation process. I would like to highlight more detailed recommendations regarding this item: use third-party modules from trusted sources that are supported by the community and are actively developed; Keep up to date the list of all third-party modules; Use only the functionality that is required within your application.

SQL injections and XSS attacks

The recommendation regarding protection against SQL injections and XSS attacks requires the most detailed explanation, because the purpose of the attackers here is specific data from the database (SQL injection) and user data (XSS attack). It is also worthwhile to understand that issues related to SQL injection cover an extensive section on providing secure access to all data warehouses, including relational databases and NoSQL databases, and include query security issues (avoid illegitimate input as part of SQL- commands and the best solution is to use parameterized queries that can be applied to SQL / OQL constructions and stored procedures), configuration (you need to make sure that the existing DBMS security tools and the platform on which it is installed are correctly configured), authentication (must be performed through a secure channel ) and connections (due to the existence of several ways to interact with the database (through a service or API), it is necessary to ensure the security of connections using encryption and authentication).

As for cross-site scripting (XSS-attack), in this case the consequences of moderate severity can be caused by reflected XSS or XSS based on the document object model (DOM), and cross-site scripting with code execution in the user’s browser can lead to serious consequences to steal credentials, intercept sessions, or install malicious software. The main protection measure in this case is screening (adding certain combinations of characters before characters or lines to prevent their incorrect interpretation), encoding data (converting certain characters to combinations of characters that are not dangerous for the interpreter) on the server side and using a set of HTTP headers in particular, Set-Cookie with HttpOnly and Secure parameters, as well as X-XSS-Protection with a value of 1.

A common security measure used to prevent SQL injection and cross-site scripting is to check all input for syntax and semantics. The syntactic norm should be understood as the complete correspondence of the input data to the expected presentation form, and the semantic norm indicates that the input data does not go beyond the limits of a specific functional.

Logging and monitoring

The recommendation regarding the logging of all events and monitoring of security events has already been mentioned when considering methods of protection against DDoS attacks, but in this case we consider the broader side of the issue related to the detection of attacks and counteraction to them, as well as the investigation of already occurred security incidents. Thus, in addition to the standard logging tools provided by the web server, you need to make sure that the event time and user ID are logged, as well as the potentially dangerous activity specific to your website. In case of detection of malicious activity, your application should block the user session or block by IP address, in general, take measures and inform the administrator about it. Here we are talking about such tools as WAF or IDS / IPS.

Backups

As for the regular backup of the website and all the data, here you need to think about the place and type of storage of this data. An effective way is to encrypt storage of critical data and backups, as well as storing backup files not on the file system, but in a different place, the safety of which there is no doubt, and which will always be at hand for quick deployment.

12345 or qwerty?

The recommendation for using strong and complex passwords is not only and not so much about passwords, but in general about authentication and user session management. There are three levels of authentication, and the use of only passwords refers only to the first – the simplest level (the second is multi-factor authentication; the third is authentication based on encryption). However, even here there are a number of requirements for the passwords themselves, the password recovery mechanism, as well as for the secure storage of passwords. Session management allows you to monitor the state of user authentication for working with a website without re-authentication. Sessions are also required to create and complete.

Admin panel protection

The final recommendation is to protect the admin panel of the website, because it is one of the weaknesses in the overall system due to the extensive functionality associated with adding / editing posts and pages, working with files and much more. Therefore, an important condition is to ensure proper access control, as well as maximum concealment of the location of the administrative panel from cybercriminals, implemented by simply transferring the address to a non-standard one and maximizing protection for this entry point through protection from brute force, filtering by IP addresses, etc. When creating an access control system, the following principles should be adhered to: sending all requests through an access control system; Deny access by default (i.e. reject the request, if it was not specifically authorized); minimum privileges for all users, programs or processes; refusal to use the role model of access control, hard-coded in the code; registration of all events related to access control.

Conclusion

This review article looks at some techniques to improve website security. Each individual recommendation deserves a separate review, but even with such a brief review, one thing remains clear – the approach to ensuring security should be comprehensive and systematic and it should not be tolerated. You need to carefully approach access control, keep up-to-date third-party modules up to date, filter input data and much more. Got something to add? Be sure to share in the comments.

As an advertisement

Vdsina It offers reliable servers with daily or one-time payment, each server is connected to an Internet channel of 500 megabits and is free of charge protected from DDoS attacks!