Basic Tips on Securing A Website From Hackers

We're not experts on website security. This page is merely a set of notes we have taken as we get more up to speed on website security. Don't take this as complete advice - we're probably leaving lots of steps out.

Basic steps to take if you are hosting your own website:

1. Properly configure your firewall between the internet and your web server.

2. Put your webserver in a DMZ network zone that is isolated from the rest of your network. Have a firewall between the DMZ and the rest of your network.

3. Ideally, don't have any other applications running on your web server. If your web server gets hacked or has malware installed on it, and the server temporarily goes down, nothing else on your network will be affected.

4. Keep your web server updated with the latest Windows service packs.

5. Have an anti-virus program running on your web server. More importantly, make sure the anti-virus program is constantly updated (don't let your license expire which will mean the automatic updates of the anti-virus program will stop).

6. Install a Secure Socket Layer (SSL) certificate on your webserver to encrypt traffic from the browser to your webserver.

7. If using a Windows Server, consider installing Microsoft's URL scan tool. See http://www.iis.net/downloads/microsoft/urlscan.

8. Consider installing a web application firewall. There are lots of them on the market. Here's one:

https://www.barracuda.com/products/webapplicationfirewall. Or use a SAAS service like:

https://www.xybershield.com/.

Basic steps to take if your website is connecting to a database:

9. Ideally, don't let the webserver directly connect to your production database server. Try to have an intermediate database server in between the webserver and the production database server. This intermediate database server should be in it's own DMZ network zone in your network.

10. If the website is connecting directly to a database, use database credentials with minimum security rights to the database. Don't ever have your website connect to a database with "sa" or other administrative user ids.

11. Do server side validation of forms submittals. Try to valid field lengths or restrict types of characters. It's tricky to do it in a way that doesn't interfere with a user trying to submit a form. But do the best you can.

12. Limit the website from returning sql error messages to the browser. These error messages might contain information in them that is useful to a hacker, such as database table names or field names.

13. Take other steps to write your sql to prevent sql injection attacks. Here's some websites to read about it:

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

http://www.sommarskog.se/dynamic_sql.html#OPENQUERY

14. Take steps to prevent cross-site scripting.

A simple test to see if your website is vulnerable to a cross-site scripting attack is to enter the following code snippet into a form field and submit the form:

<script>alert("Vulnerable to XSS");</script>

If an alert window pops up with the "Vulnerable to XSS" message when the form data is processed and displayed, then the application accepts tags and is at risk because the input data has not been validated either before being processed or being published.

More resources

The OWASP Foundation is a non-profit dedicated to help developers develop secure websites and applications. See https://www.owasp.org/index.php/About_OWASP for information about them.

See OWASP's good intro page at: https://www.owasp.org/index.php/OWASP_Application_Security_FAQ