Website Security For Beginners
Security is a crucial subject that all web developers should know. After all, what good is a website if an attacker can cause it to go down in seconds? Unfortunately, it can be daunting to beginners when you start thinking of security simply as hoops you must jump through to have a safe site. So I've decided to outline several very important ideas for web security for beginners, or for experts who need a bit of a refresher.
Never Trust User Input
Always assume that any input from your users could potentially bring your site down to its knees, whether through malicious intent, or even by accident.
After all, user input is where the majority of all attacks on your website will come from, so to be constantly vigilant with anything input by the user. There isn't really any specific technique to achieve this, but it is always a good thing to remember at all times when working on your website's security.
Most of the points outlined below are related to this one, explaining various techniques to implement this important idea.
Sanitize All Input
User input that has not been properly sanitized can lead to all sorts of nasty things, like SQL injection and XSS attacks.
Make sure that you always sanitize your data when it is being input, and not when it is being retrieved from the database. It is always better to only have clean data stored, and avoids any problems if you slip up while sanitizing the data on output.
Keep Logic and Data Separate
Vulnerabilities in websites can often be exploited through code injection, which can often be as a result of mixing logic with data. A common example is SQL injection, where an attacker can exploit a vulnerability in your code by modifying your SQL queries to do their bidding.
A great way to separate logic from data is to use prepared statements when working with your database. Basically it helps to separate the two by not making you insert any values directly into your SQL statements, and instead binding parameters later and then executing them.
Use Proper Directory Permissions
You may be asking "People can't access my important files, isn't that enough?" It is all too common to find that a shared web host has not been properly configured with security in mind, allowing other users on the same server to access the files of other accounts who haven't set their file permissions correctly.
In general, it is usually discouraged to always set (
chmod) your file permissions to 777, because that means that just about anyone can have full access to it.
Use a Strong Password
This can't be said enough. Even with thousands of security measures protecting your site from a malicious user, a weak password can quickly end up counteracting the many security measures you have in place.
All of the general rules for passwords apply: make sure it's a decent length, mix uppercase and lowercase characters along with numbers and symbols, pick something that only you remember, and all that good stuff.
Prepare for the Worst
Unfortunately, even with some of the strongest security measures built into your site, nothing can ever stop an attacker who is determined enough to get into your site. So, it is also a good idea to prepare for that possibility.
Always keep frequent backups of both your site's files, and of your database. That way once your site is compromised, you'll at least be (hopefully) able to get back up and running as soon as possible. And once your backup is restored to your server, always make sure that you look over anything that could have potentially caused the attack, and fix the vulnerability to prevent this from ever happening again.
If you're interested in finding out about specific exploits, how they work, and how to protect against them, be sure to check out my other post on the subject, Hack Your Own Site.