Every website can undergo security breaches and while you might not think that there is anything of value on your site, this doesn’t mean there isn’t an opportunity for it to be compromised. Something to note is that the majority of website security breaches are attempts to use your server as an email relay for spam, so making sure your website is secure is important.   Without a secure website, you could be hit by ransomware, have your server as part of a botnet, or serve files of an illegal nature. Most hacking that occurs is performed by automated scripts that scour the internet to exploit security vulnerabilities. Here are 6 ways to make sure your website is secure for customers. 

1. Protect Against XSS Attacks 

XSS attacks or cross-site scripting inject malicious code into your pages, namely JavaScript. These then run into the browsers of your users and can change page content and steal information to send back to hackers.  One way this can happen is if you show comments on a page without any validation. An attacker can see this and then submit comments that contain script tags and JavaScript which can run in every user’s browsers and steal their login cookies. This then allows the attacker to take control of the account of every user who has viewed the comment.  To prevent this from happening you have to ensure that users cannot inject active JavaScript content into your pages. Pages are now built primarily from user content which generates HTML that can be interpreted by front end frameworks like Angular and Ember. These frameworks can provide many XSS protections but not always.  If you mix server and client rendering, then you can create new and complicated attack avenues for hackers. What you have to focus on is user-generated content could escape the bounds you expect and be interpreted by a browser in a way that you haven’t intended.  To protect against these attacks when dynamically generating HTML, use functions that explicitly make changes you are looking for or use functions in your templating tool that automatically do appropriate escaping rather than setting raw HTML content.  One powerful tool to consider as well is Content Security Policy or CSP. A CSP is a header your server can return which alerts your browser to limit how and what JavaScript is executed on a page. This could include things like disavowing the running of any scripts not associated with your domain or could disallow inline JavaScript.
infographic showing the issues you can encounter and why web security is essential
A CSP is a header your server can return which alerts your browser to limit how and what JavaScript is executed on a page. (Image Credit: Velocity Consultancy)

2. Check Your Passwords

Something every internet user is familiar with is the need to be constantly refreshing your passwords as they are something that can be compromised rather easily. It is an integral part of all internet use that strong passwords are used in your server and website admin area particularly.  Enforcing password requirements is a must for users and some best practices include having an eight character minimum which includes a number or special character, as well as an uppercase letter. This ensures that your customer’s information is protected in the long run.  Another important point here is that passwords are stored as encrypted values using a one way hashing algorithm like a SHA. This means when you authenticate your users, you are only ever comparing encrypted values. In the worst case scenario where you have a hacker who has managed to get into your server and have access to your passwords, hashed passwords can help damage limitation as you cannot decrypt them. The only thing a hacker can do in this situation is to use a dictionary attack which is where they guess every combination until they get a match.  In modern web development, nearly all CMSes provide their user management with a lot of these security features built in.
an infographic demonstrating the basics of web security
Enforcing password requirements is a must for users and some best practices include having an eight character minimum. (Image Credit: Sucuri)

3. Keep Your Software Up to Date

Software up dates are critical for keeping your site secure. This doesn’t only apply to your software but also your server operating system – anything that you are running your website on be it a forum or a CMS.  One benefit of using a managed hosting solution is that they apply security updates regularly to your website. It should be noted though that if you are using third party software, it is advised to ensure that you are quick to apply any security patches. Most major CMSes like WordPress will notify you of updates as soon as you log on to them.  You should always keep your dependencies up to date and tools such as Gemnasium can give you automatic updates or notifications when a vulnerability is announced in any of your components. 

4. Validate on Browser and Server Side

It is integral that you do validation on not only your browser side but also on your server-side. This allows your browser to catch simple failures in mandatory fields. These can be bypassed which is why it is integral that you check for validation and deeper validation server side.  If you don’t do this, you run the risk of malicious or scripted code being inserted into your database which could cause issues in your site and produce bad results.
an arrow clicking on a security button on a website
It is integral that you do validation on not only your browser side but also on your server side. (Image Credit: M-W.com)

5. Watch Out for Error Messages

Error messages aren’t always as innocent as they seem. Provide only minimal errors to your users to ensure that they don’t unintentionally leak the issues on your server which could be anything from database passwords to API keys.  Another thing to note is to not provide full exception details as they can make complex attacks from things like an SQL injection much easier. Ensure that you keep detailed errors in your server logs and only show users the information that they need. 

6. Use HTTPS

HTTPS is a protocol used to provide security over the Internet. It guarantees that users are talking to the server they expect and that nobody else can intercept the content they’re seeing. If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. Notably, Google have announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. Insecure HTTP is on its way out, and now’s the time to upgrade.
an image showing https security on an url
HTTPS is a protocol used to provide security over the Internet. It guarantees that users are talking to the server they expect, and that nobody else can intercept the content they’re seeing. (Image Credit: Crucial.com.au)

Protect Your Customers

There are a multitude of methods to ensure that your website is safe and secure. This is integral to guarantee that your customers can browse your website without exposing them to anything unsavoury that could damage your site and their experience.  Need additional security on your website and unsure of how to implement it? At ProfileTree, we have a myriad of web development experts waiting to help you with your website. Contact us today. 

Leave a comment

Your email address will not be published. Required fields are marked *