Website Security
Jun 10
For developing a secure website in PHP or in any other language a developer must remember the following points:
1. User Input Validation (Server Side): Input validation is the “key” to application security.
User input fields are the major entry points for most of the attackers. Parse the user input field as it is already defined (E.g. integer, float, and string) and if the parsing fails then display a proper error message to the user.
If the application has a cross site scripting vulnerability they can steal the cookie and thereby have an un-authorized access to the system or inject a malicious SQL query to launch an SQL injection attack or can cause buffer overrun and thereby execute a remote code or in the worst case can launch a denial of service attack (DoS)
2. Write Permission Off: This is also one of the most important factors for a secure web development. On completion of the website, when you will host the site on your web server, you must ensure that the files and directory in the webroot folder are WRITE protected from the outside world.
3. Error Reporting Off: Error reporting creates a security risk for hackers. A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, coding styles and to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them.
4. Restrict User Permission Role: The permission role for the user should be restricted from the user perspective. Suppose there is no option for creating table or drop table statement in your application. So the user access should be restricted from creating or dropping a table.
5. File Extension and MIME Type Checking: It is important that you check the MIME type of the file instead of just checking that it is an acceptable file extension. Let’s say you allow user to upload a zip file and it gets extracted at the server by running it. Hackers can take this opportunity to rename a .exe file to .zip and upload in your server. So keep checking the MIME type of the file at the time of uploading it.
6. Use HTTPS: Use https (SSL certificate) instead of http if possible.
7. Client Request Response Handling: Implement a script to handle this type of request problem. At times, requests start coming from the same client very frequently. Then just ignore those type requests as most of these requests are auto-generated.
8. Use Captcha: It is recommended to use Captcha for each form submission to protect against spamming.
9. Unformatted Client Side Code: Use unformatted code for client side like HTML, JavaScript so for hacking it will be tuff to understanding. Means don’t give the variable and function name as their meaning. (But it is tuff to do code like this way. Find a tool which will do it for you).
10. Protect Directory Listing: Place a blank index.html in your directory thereby protecting listing of files. Some servers do it themselves but it is recommended to be implemented at the time of development.
These are some basic steps to prevent your website from hackers. Lots of issues are still left unaddressed for website security.