Web Design Blog

August 11, 2014

It’s a vicious cycle. The web continues to rapidly evolve and grow and developers and programmers are caught in a constant cycle of playing catch up.

The recent news of over a billion hacked passwords and Google’s announcement that it will start factoring TLS/HTTPS encryption into it’s search results ranking, are just two of many recent signs that we need to pay serious attention to security on the web. This post is will provide an overview of some steps you should be taking today to secure your website and protect your users data.

Encrypt the Connection Using HTTPS

If you aren’t transmitting data over HTTPS your visitors are not protected from hackers monitoring their internet activity or stealing their credentials. Check your website using this tool and see if you have any issues with your encrypted connection. If you do not have a certificate for HTTPS encryption and need one installed I can help.

Here is a simple PHP script that will redirect users to the current page over HTTPS.


// with PHP
if(!isset($_SERVER['HTTPS'])){
    $sslurl = "https://" . $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
    header("location: $sslurl");
}


# or with .htaccess on an Apache Server
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Prevent Brute Force Attacks

One of the easiest ways to crack a website login page is with a dictionary or brute force attack. You can prevent these types of attacks by placing additional defensive measures on your login page including:

  • A CAPTCHA challenge / response field.
  • An additional layer of authentication using .htaccess
  • My personal favorite is implementing Google 2 Step Verification. This method involves checking against a random, time-sensitive code generated with a smartphone app. This functionality can be customized implemented in your own custom web application. It is very secure since it authenticates based on something you know (your username and password) and something you possess (access to your smartphone).

Encrypt Passwords

Most websites are hashing passwords today, however I am guessing most websites aren’t doing it correctly and I shudder to think many are still storing passwords in plaintext. Simple md5 hashing is easily cracked. Passwords need to be individually salted with a unique salt per password. More information on creating cryptographically secure password hashes.

Sanitize User Input

Make sure any information entered by users does not contain any unwanted code or symbols. All data should be checked and sanitized before using in a script, displaying on a page or inserting into a database. There are many ways to go about this using modern programming languages and techniques.

Summary

I hope this brief summary of security practices gives you some direction when reviewing your own security practices and securing your website. Please feel free to contact me if you need assistance implementing any of these protocols. I would be happy to look at your site and give you a security evaluation.

Comments

comments

Powered by Facebook Comments