Website Security and How to Improve in Details
Website security is an important job!
You are quite assured, trust and always think that your website will never be hacked (hacked website) for many different reasons:
Reason 1: Your website has nothing to hack. I just design a website to introduce the company, who is “free” to hack -> in fact hackers always have different reasons from small to big to hack into websites like yours.
Reason 2: Your website is using ABC technology and it is very good. Make sure no one hacks you –> maybe you are right, but maybe you are “missing”. The holes in the website always appear even though people have been trying to fill them for decades. But it is still there and no one will say 100% that it is not hacked.
Reason 3: Even if my website gets hacked, it doesn’t matter to me. I don’t care –> you are underestimating the role your website plays and the potential of your internet business.
In fact, there are quite a few carefree people like you, they don’t mind the problem of website hacking, until they are hacked, they are startled, it’s too late. Therefore, if you want to relax and focus on your business, you should consider choosing a reputable website design company, which will greatly contribute to the security of your website. Although entrusting it completely to the website design company, you also need to know the basics of how to secure a website.
Some useful ways to secure your website
Regularly update website application software
As obvious as this may seem, making sure all software is up to date is vital in keeping your site free of the dangers that are always lurking. This can apply to both the server operating system and any software you are running on the website including a CMS or forum, when a website security vulnerability is found in the application software, hackers will seize the opportunity quickly try to abuse them.
If you are using a storage management solution then you do not need to worry much about applying security updates to the operating system as the company that owns the privilege will help you manage this.
If you are using third-party software such as a CMS or forum, you should ensure that you already own a different secure version. Most product vendors have a notification mailing list or RSS feed outlining any related website security issues. WordPress, OpenCart, and many other CMSs will notify you of available system updates each time you log in.
Make sure you keep your dependencies up to date and use tools like Gemnasium to receive automatic notifications when a vulnerability is announced in one of your website components.
SQL Injection Security
SQL injection is the most common form of website attack based on website form manipulation, the reason is that this content is often not properly encoded and hacking tools take advantage of these weaknesses to do malicious activities. this type of exploit is very easy to achieve even inexperienced hackers can perform this action, more serious, if this bug is done by skilled hackers, just A weakness in the website’s source code can reveal the root access of web servers and from there hackers can attack other network servers.
Structured Query Language (SQL) is a near-universal database language that allows storing, manipulating, and retrieving data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access… and of course, these databases are also subject to SQL injection attacks. Anti-virus programs are also not very effective at blocking SQL injection attacks, simply because they are used to detect and prevent a completely different type of data.
The most common SQL injection prevention is made up of two components. The first is to regularly update and patch all the servers, services and applications, then produce and use the source code well and test the website source code to not allow the existence of SQL commands. unusual signs.
Secure your website with XSS
Cross-site scripting (XSS) attack or malicious JavaScript attack on your website, then runs in the user’s browser and can change the website content or steal information to send back to the attacker . For example, if you display a comment on a page with no validation, an attacker can send a message containing script tags and JavaScript that can run in every other user’s browser and steal cookies. their login, thereby allowing an attack to take control of the accounts of every user who viewed the comment. You need to make sure that users can’t include JavaScript content in your active pages.
This is of particular concern in modern web applications, where pages are built primarily from user content and in many cases generated HTML, which is then also processed front-end like Angular and Ember. . These frameworks provide a lot of XSS protection, but combining server-side communication with client access can sometimes create new, more complex attack paths than just efficient HTML-to-JavaScript integration. , but you can also insert source code content by inserting Angular or Ember commands.
The key here is to focus on user-generated content that can escape the confines of what you expect and be understood by the browser as just another aspect of what you are intending, this is similar to protection. against SQL injection. When autogenerating HTML, use explicit functions to make the changes you’re looking for (for example, using element.setAttribute and element.textContent, rather than manually setting element.innerHTML) or it is more appropriate to use functions in the autorun frameworks than concatenating strings or setting up HTML content.
Another powerful tool in the XSS Defender toolbox is the Content Security Policy (CSP). CSP is a property that your server can return to the browser to limit how JavaScript is executed in your website, for example disallowing running any scripts that are not hosted on your website. your domain, disallow JavaScript inline, or disable the eval() function, which makes it harder for hackers’ scripts to work with, even if they could be included on your site.
Security with website error messages
Be careful with the information you display in error messages, providing only minimal errors to the user to ensure that secrets are not leaked on your server (e.g. API or base password) data). Do not provide complete exception details as these can make complex attacks such as SQL injection easier, store detailed errors in your server logs, and are only available to users. users know the information they need.
Prevention and handling of DDOS attacks
DOS is an attack that uses many satellite computers to attack directly on the Server with the aim of overloading the server to prevent the transmission of information, connection quality and accessibility to your Website. Although DDOS attack does not steal data or damage the structure of the website, it also brings a lot of disadvantages and difficulties when encountered. So for DDOS you need to prepare in advance and have a plan. processing can be deployed immediately.
Server-side website security approval/validation
Validation should always be done both on the browser and on the server side, the browser can catch simple errors like required fields must not be left blank or when you enter text in numeric fields. However, they can be omitted from time to time and you should make sure to check these assertions as failure to do so may result in a situation where malicious code is inserted into the database which can cause negative results. unwanted results in your site.
Set a password with high security
Everyone knows they should use complex passwords, but that doesn’t mean they’re always ready to do it. It is very important to use strong enough passwords for the server and admin area, but also emphasize good passwords for your users to protect the security of their accounts. Enforcing password requirements such as a minimum of about eight characters, including one letter and uppercase letter will help keep their information safe in the long run.
Passwords should always be stored as encrypted values, it is better to use a one-way hashing algorithm like SHA, using this method means that when you authenticate a user, you only need to compare encrypted values. In the event someone breaks in and steals your passwords, using hashed passwords can help limit the damage because they can be difficult to decrypt.
Besides, you also set up a two-factor password for all your online working tools, from email accounts, hosting accounts, website admin accounts. The psychology of hackers is to choose sites that are negligent, with little defense, they will attack first, sites with high security, too difficult to pass.
Review the file upload to the website
Allowing users to upload files to your site can be a risk to website security, even if it only takes a small step to change their avatar. The risk is that any bluff uploaded file could contain a script executed on a server with a link to your website.
If you use a file upload form, need to know how to manage all the files, if you allow users to upload images you cannot rely on the image extension or mime type for verification that the file is an image because they can be easily tampered with, even opening the file or using functions to check the image size is not sufficient evidence, most definitions An image format that allows storage of a description that may contain source code executed by the server.
So how to secure the website from downloading files?
The proposed solution is to prevent direct access to the uploaded files together. This way, any files uploaded to your site need to be stored in a directory outside of the webroot or in the database as a blob. If your files are not directly accessible, you will need to create a script to fetch the files from the private directory and deliver them to the browser. Image tags that support the src attribute are not direct URLs to images, so your src attribute can point to a file delivery script that provides you with the correct content type in the HTTP header.
Make sure you have a firewall setup and are blocking all unnecessary ports, if possible set up a DMZ that only allows access to ports 80 and 443 from the outside. Although this may not be possible if you don’t have access to your server from the internal network as you need to open the port to allow file upload and remote login to your server via SSH or RDP , if you allow files to be uploaded from the Internet use only secure transfer methods to your server such as SFTP or SSH.
If possible, manipulate your database on a different server than your web server, this means that the database server is not directly accessible from the outside, only the server itself. your website can be accessed, minimizing the risk of your data being exposed.
Finally, don’t forget to limit access to your server.
Secure with HTTPS
HTTPS is a protocol used to provide security over the Internet, HTTPS assures users that they are interacting with the expected server and that no one else can intercept or change the content they are viewing.
If there’s anything the user wants to be private, you should just use HTTPS to deliver it. A login form will usually have a cookie set, sent with every other request to your site that the user logs in, and used to authenticate those requests, which hackers will be able to mimic. use it perfectly and from there take over their login session. To counter these types of attacks, use HTTPS for your entire website. It’s not as difficult and expensive as it used to be, you just have to enable HTTPS and there are existing public tools for frameworks to automatically set this up for you.
In addition, Google has announced that they will increase your website’s search ranking if you use HTTPS, which is completely beneficial for website SEO.
Website Security Tool
Once you think you have done all you can then take the time to conduct website security testing, the most effective way to do this is through the use of some security tools. webpage.
There are many free and commercial products to help you do this, they work on a similar basis to the scripts that hackers use to check for all sorts of exploits and attempts to compromise. damage your website using some of the previously mentioned methods like SQL injection. Some free tools worth noting:
Netsparker (which has a free version and a paid version) is good for SQL injection and XSS testing.
OpenVAS, the most advanced open source security scanner, is good for checking for vulnerabilities but it can be difficult to set up as it requires an OpenVAS server to be installed, OpenVAS is part of Nessus before it can be installed. become a closed source commercial product.
SecurityHeaders.io (free online test), a tool that quickly reports website security (such as CSP and HSTS enabled or configuring a correct domain name…).
Xenotix XSS Exploit Framework, a tool of OWASP (Open Web Application Security Project) includes a series of XSS attack examples with which you can quickly confirm whether web page input is vulnerable to Chrome, Firefox , Coc Coc and IE or not.
The results from the tests can be bewildering to us because they present a lot of potential problems, it is important to focus on the important issues first, each reported problem often comes with With a good explanation of the potential vulnerability, you will probably find some medium to low level issues that are not a concern for your website.
If you want to take it a step further there are some further things you can do by changing the POST/GET value, a debug proxy can help you as it allows you to intercept the values of a HTTP request between your browser and server, a popular freeware application called Fiddler is also a wise decision.
Hopefully the above tips will help keep your website and information safe, there are many CMSs with website security features available, but it’s still a good idea to be knowledgeable about vulnerabilities. common security holes to be able to proactively protect your own website. If you are not knowledgeable about many technical issues, contact the website design company to perform website security for you.
If you are looking for a full solution hosting service for your website, Tigerhostings is s good choice for you.
You must be logged in to post a comment.