Sunday, March 18, 2018

16 security tips for web developers

Web Security

1. Keep softwares up to date

Many developers prefer to use old version of software because they are more familiar with that version. This may cause security breach. So, it is recommended to always stay updated with latest version.

2. Prevent SQL Injection

SQL Injection is one of the most used attack to harm website. SQL Injection can be prevented by using prepared statement or using PDO (PHP Data Object).

In prepared sql statement  a placeholder is used instead of mixing user inserted data in sql statement.

3. Prevent XSS Attack

XSS (Cross-Site Scripting) is use to insert malicious javascript  code to a web page which can be use to steal cookies or other informations from browser.

To prevent this type of attack clean user input before displaying it to webpage.

4. Double form validation

Form validation should be done on both client side and server side. Client side validation is done with javascript which user can manually disable in his/her browser. So, double check is more safe.

5. File uploads

Validation if file uploads should must be implemented. For example if user need to upload his display picture then it should be make sure that he uploads only image files.

6. Encourage users to use a strong password

It is a good practice to encourage user to use a strong password. A strong password included mixture of capital & small alphabets, digits and special character.

7. Good encryption technique for password

Many users use same password for every websites. So if any one of that website's security got compromised then their other account can also be accessed.

8. Turn off form auto fill

Form auto fill is enabled by default. It can be turned off by adding autocomplete="off"
in form tag

9. Prevent direct access of uploads folder

This can be simply approached by adding a index.html file in uploads folder.

10. Install SSL (HTTPS)

Adding 's' in http not only makes it https, it encrypts the communication between point A to point B.  So even if a user is using public wifi, then his log can't be use by any middleware agent.

11. Minimal privilege for directories

Default permission of a directory is 0755 which can be modified according to need.

12. Minimal privilege for database user

Many developers generally grants all permissions for a database which is not a good practice on a development server.

13. Server configuration file

Server configuration file should not be ignored. In Apache Web server '.htaccess', In nginx 'nginx.cong', In Microsoft IIS server 'web.conf' files are server configuration file.
Server configuration file is very powerful. It can be used for many purposes.

14. Hide admin pages

Admin page can be hide from search engines by usgin robotdottxt file. 

15. Custom error message

Always show a custom error message to user instead of  actual error message. For this purpose using error codes is a good idea.

16. Regular backup

Backup should be done regularly and stored offline.