How To Secure your Website?

This is a small but important list of specific actions that everyone should take with their web resource if the reputation of the company, the security of web resources, and customer data are not empty words for you.

There are several main ways to protect your site:

1. protect against DDoS attacks
2. connect an SSL certificate
3. use reliable hosting 
4. use secure plugins/libraries/frameworks/CMS (hereinafter referred to as “third-party modules”)
5. apply existing techniques to protect against SQL injection and XSS attacks
6. provide website logging and monitoring of security events
7. make regular backups of the website and all important data
8. use strong and complex passwords, as well as protection against password brute force
9. if there is an administrative panel with which the content of the website is managed, it is necessary to change the standard login address and provide access control.

Naturally, each item has it's own “but” and some sub-items that should be focused on. They can also be divided into subgroups based on the following considerations: 

some actions require a one-time connection, configuration, and rare health checks (setting up hosting and an SSL certificate), while others imply constant checks, and updates and require close attention (everything else).

Reliable hosting and SSL

So, let's start with the fact that in our arsenal there is a reliable server or virtual hosting, the administration of which will remain beyond the scope of this article. 

As for connecting an SSL certificate, this is a mandatory measure, and here even comments are superfluous.

DDoS Protection

If your hosting provider provides DDoS protection services or you use anti-DDoS services, then this question can be considered closed, but why not strengthen the protection and organize it yourself, which is undoubtedly a time-consuming task and implies the simultaneous using the following techniques: 

if Apache is used as a web server, then you need to put a caching proxy in front of it - Nginx or Lighttpd, or better use Nginx on the front-end, but with several add-ons (limit buffer sizes and connections in Nginx, configure timeouts, etc. 

use the test cookie-Nginx module use URL filtering and return a non-standard code 444, which allows you to close the connection and not return anything in response) in some cases, use geographic blocking.

Security of third-party modules

As for the recommendation regarding the use of secure third-party modules in your applications, this topic is perhaps one of the most important, since most malicious attacks occur through third-party modules. 

The essence of this paragraph is to use frameworks and libraries with built-in security features that will help developers minimize the appearance of vulnerabilities in the implementation process. I would like to highlight more detailed recommendations regarding this point: 

use third-party modules from trusted sources that are supported by the community and are actively developed, keep up to date with the list of all third-party modules

use only the functionality that is required within your application.

SQL injection and XSS attacks

The recommendation regarding protection against SQL injection and XSS attacks requires the most detailed explanation because the attackers here target specific data from the database (SQL injection) and user data (XSS attack). 

It should also be understood that issues related to SQL injections cover an extensive section on ensuring secure access to all data stores, 

including relational databases and NoSQL databases, and include query security issues (illegal input data as part of SQL must be avoided) commands and the best solution is to use parameterized queries that can be applied to SQL/OQL constructs and stored procedures), configuration (it is necessary to make sure that the existing security tools of the DBMS and the platform on which it is installed are correctly configured),

About cross-site scripting (XSS attack), in this case, reflected XSS or XSS based on the document object model (DOM) can cause moderate consequences, and cross-site execution of stored scripts with code execution in the user's browser can cause serious consequences to stealing credentials, hijack sessions, or install malicious software.

The main protection measure, in this case, is escaping (adding certain combinations of characters before characters or strings to prevent their incorrect interpretation), data encoding (converting certain characters to character combinations that do not pose a danger to the interpreter) on the server side and using a set of HTTP headers, in particular, Set-Cookie with Http Only and Secure options,

A common security measure used to prevent SQL injection and cross-site scripting is to validate all input data against a syntactic and semantic norm. 

Under the syntactic norm, one should understand the full compliance of the input data with the expected form of representation, and the semantic norm indicates that the input data does not go beyond the specific functionality.

Logging and monitoring

The recommendation related to logging all events and monitoring security events has already been mentioned when considering methods for protecting against DDoS attacks, but in this case, the broader side of the issue is considered, related to detecting attacks and countering them, as well as investigating security incidents that have already occurred. 

in addition to the standard logging tools provided by the web server, you need to make sure that the time of the event and the user ID are logged, as well as potentially dangerous activity specific to your website. 

If malicious activity is detected, your application should block the user session or block by IP address, generally take action and notify the administrator about it. Here we are talking about tools such as WAF or IDS / IPS.

backups

As for the regular backup of the website and all data, here it is necessary to think about the place and type of storage of this data. 

An effective way is to encrypt critical data storages and backups, as well as store backup files not on the file system, but in another place, which is undoubtedly secure and which will always be at hand for quick deployment.

12345 or qwerty?

The recommendation for using strong and complex passwords is not only and not so much about passwords, but in general about authentication and user session management. 

There are three levels of authentication, and using only passwords is only one of the simplest levels (the second is multi-factor authentication; the third is encryption-based authentication). 

However, even here there are some requirements for the passwords themselves, the password recovery mechanism, and also for the secure storage of passwords. 

Session management allows you to control the user's authentication state to work with the website without re-authentication. Sessions also have requirements for creation and termination.

Admin panel protection

The final recommendation is to protect the admin panel of the website, because it is one of the weak points in the overall system due to the extensive functionality associated with adding / editing posts and pages, working with files, and much more. 

Therefore, an important condition is to ensure proper access control, as well as maximum secrecy from intruders of the location of the administrative panel, implemented by simply transferring the address to a non-standard one, and maximum protection of this entry point through protection against enumeration, filtering by IP addresses, etc. 

When creating an access control system, the following principles should be followed: sending all requests through the access control system

denying access by default (deny the request unless it was specifically allowed)

 minimum privileges for all users programs or processes

refusal to use the role-based access control model hard-coded in the code

registration of all events related to access control.

Conclusion

The overview article discusses some techniques aimed at improving the security level of a website. Each recommendation deserves separate consideration, but even with such a brief review, 

one thing remains clear - the approach to ensuring security must be comprehensive and systematic, and it does not tolerate a condescending attitude. 

It is necessary to carefully approach access control, keep existing third-party modules up to date, filter input data, and much more. Have something to add? Be sure to share in the comments.