Website Security Made Easy
Online presence is an essential part
of any business strategy today. With all
small and large entrepreneurs aiming for a website to extend the reach of
customers , website security is a dimension you can afford to ignore
any more. This however is such a specialized
area of technology that people with limited IT knowledge cannot comprehend with
it. Through this article we intend to create awareness around what simple steps
can you take to ensure that your website gains trust of its visitors and is
protected against virus or hackers.
Six steps that you can take to make
your website secure :
1 Use strong input validation : The
most common web application security weakness is the failure to properly
validate input from the client or environment. This weakness leads to almost
all of the major vulnerabilities in applications, such as Interpreter
Injection, locale/Unicode attacks, file system attacks and buffer overflows.
Data from the client should never be trusted for the client has every
possibility to tamper with the data.
In many cases, Encoding has the
potential to defuse attacks that rely on lack of input validation. For example,
if you use HTML entity encoding on user input before it is sent to a browser,
it will prevent most XSS attacks. However, simply preventing attacks is not
enough - you must perform Intrusion Detection in your applications. Otherwise,
you are allowing attackers to repeatedly attack your application until they
find a vulnerability that you haven't protected against. Detecting attempts to
find these weaknesses is a critical protection mechanism.
2 Harden server level file
permissions : If you are lucky, your web hosting provider has all the file
permissions set up in such an effective way that you will never need to
care. However this is not always the
case ,so first, you may need or wish to understand how file permissions work.
Most web servers run some variant of UNIX/Linux. On these systems, file
permissions can be changed via chmod.There are several possible ways to change
file permissions on a UNIX/linux webserver:
- with the "change permissions" option of your current FTP client program like FileZilla (see your FTP documentation)
- with the file manager of your web hosting control panel (see your host documentation)
- by issuing chmod shell commands (if you're not familiar with shell access, use one of the above)
- If you have a c panel like software installed , you should look for an option that in File manager which allows you to set file permissions
3 Disable Trace and Track methods on
your web server : Cross site scripting vulnerabilities can be prevented by
making sure only the required HTML methods are enabled on your web server .It
is not uncommon to see a low-level vulnerability show up on a PCI Compliance
Assessment Scan: Web Server HTTP
Trace/Track Method Support Cross-Site Tracing Vulnerability. The wording for this vulnerability can be a
little misleading because one can be vulnerable due to TRACE being enabled,
because TRACK is enabled, or because both are enabled. Although these methods
are useful for legitimate purposes, they may compromise the security of your
server by enabling cross-site scripting attacks (XST). By exploiting certain
browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods
to intercept your visitors’ sensitive data. The solution, of course, is disable
these methods on your web server.
On Apache you can disable TRACE and
TRACK methods via the following process:
- RewriteEngine on — enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)
- RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) — targets all TRACE and TRACK request methods for the following rule
- RewriteRule .* - [F] — return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)
4 Scan your website : Its is
advisable to scan your website on a daily / weekly basis . New vulnerabilities
are discovered every day . Online vulnerability scanners are the best and
easiest way to stay ahead of hackers. These scanners are so simple to work with
that you just have provide your IP or URL and the scans are automatically
setup. You may even sign up for a commercial service , this ensures that the
service is delivered to you in an automated and managed way. When a High risk
issue is found with your website a message appears on your cell phone or Email
. The reports provided by such service providers also give insights to
solutions to these issues. Some advanced services would give you access to a
secured dashboard area which will summarize the results of all scans in a
snapshot. This can help you focus on the most vulnerable webservers or solve
the most critical findings first.
5 Website Security Certificate : SSL
certificates do a lot of good to your website in terms of providing transport
layer security to your customers. Another area where SSL certificates can be
very useful is identity assurance . With Phishing threats becoming more and
more propellant in the wild your customers can verify your websites identity
looking at the SSL certificate endorsed by a root authority like VeriSign .
However SSL certificates are not the only certificate that can endorse your
website security. Other website security certificates popularly known as trust
seals or website seals can also help you endorse trust and confidence to your
customers. Recent research has shown that customers tend to buy more from
websites who have displayed some kind of security certificate .
6 Use Strong Passwords : This is by far the most easy thing that you can ensure that your website is not hacked by a simple brute force or dictionary attack. Some password policies suggest or impose requirements on what type of password a user can choose, such as:
- the use of both upper- and lower-case letters (case sensitivity)
- inclusion of one or more numerical digits
- inclusion of special characters, e.g. @, #, $ etc.
- prohibition of words found in a dictionary or the user's personal information
- prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
- prohibition of use of company name or an abbreviation
These are simple steps you can follow to ensure that your website is not a soft target for hackers and virus distributing bots.
Hackers Locked Technologies is a
leading provider of trust seals and website seals. To avail such services call
us on +401 466 4546 .