 |
| Web Security |
1. Keep softwares up to date
Many developers prefer to use old version of software because they are more familiar with that version. This may cause security breach. So, it is recommended to always stay updated with latest version.
2. Prevent SQL Injection
SQL Injection is one of the most used attack to harm website. SQL Injection can be prevented by using prepared statement or using PDO (PHP Data Object).
In prepared sql statement a placeholder is used instead of mixing user inserted data in sql statement.
3. Prevent XSS Attack
XSS (Cross-Site Scripting) is use to insert malicious javascript code to a web page which can be use to steal cookies or other informations from browser.
To prevent this type of attack clean user input before displaying it to webpage.
4. Double form validation
Form validation should be done on both client side and server side. Client side validation is done with javascript which user can manually disable in his/her browser. So, double check is more safe.
5. File uploads
Validation if file uploads should must be implemented. For example if user need to upload his display picture then it should be make sure that he uploads only image files.
6. Encourage users to use a strong password
It is a good practice to encourage user to use a strong password. A strong password included mixture of capital & small alphabets, digits and special character.
7. Good encryption technique for password
Many users use same password for every websites. So if any one of that website's security got compromised then their other account can also be accessed.
8. Turn off form auto fill
Form auto fill is enabled by default. It can be turned off by adding
autocomplete="off" in form tag
9. Prevent direct access of uploads folder
This can be simply approached by adding a index.html file in uploads folder.
10. Install SSL (HTTPS)
Adding 's' in http not only makes it https, it encrypts the communication between point A to point B. So even if a user is using public wifi, then his log can't be use by any middleware agent.
11. Minimal privilege for directories
Default permission of a directory is 0755 which can be modified according to need.
12. Minimal privilege for database user
Many developers generally grants all permissions for a database which is not a good practice on a development server.
13. Server configuration file
Server configuration file should not be ignored. In Apache Web server '.htaccess', In nginx 'nginx.cong', In Microsoft IIS server 'web.conf' files are server configuration file.
Server configuration file is very powerful. It can be used for many purposes.
14. Hide admin pages
Admin page can be hide from search engines by usgin robotdottxt file.
15. Custom error message
Always show a custom error message to user instead of actual error message. For this purpose using error codes is a good idea.
16. Regular backup
Backup should be done regularly and stored offline.
Nice one sir, every developer should take care of these thinks.
ReplyDeleteVery good🙂
ReplyDelete