Every day thousands of websites launches, and every website owner has big but common concerns: security and performance of the website. Search engines recommends securing websites, especially when it comes to personal information of users and payment gateway for the e-commerce transactions. Yes, https is almost a requirement when you’re collecting information or displaying confidential information. Leading search engines will penalize if your website is not https.
Being hacked is painful, and it is the biggest nightmare for the system administrator. Here, I am referring to the hackers that get into the websites and add a malicious content/script or adding phishing redirection script in the website. As a developer, we always try to create a secure application that minimize the risks of getting hacked. Nobody can build a perfect system that cannot be hacked, but we should always try to make more secure application with less vulnerability.
As a developer, you need to be smart when it comes to testing the security of your website because hackers can exploit our website data and security anytime by hacking your website. Most hacking is done by an automated script written by hackers, which is accessed by a hacker when you request HTTP through the network protocol, and they modify the request and submit it to the server. We need to secure our code and authenticate third-party API when the data is sent back/forth.
Scope of websites security:
1) Computer configuration: Check your computer must have antivirus installed, coz visiting infected website or using infected USB can harm your data.
2) Web Security: SSL certificate, server like apache, nginx, php, mysql & clean code is recommended.
3) Server security: Linux, Windows (Recommended Linux server for PHP applications)
4) Network security: Firewall, Routers & proxies must be properly setup.
There are the security points which needs to cover while launching the website. Web security is a layered approach. You can create a checklist of security before launching the website.
Website security check points:
Ensure that all your website software’s are updated. This simple but basic thing can help fix lot of known security bugs that’s discovered by the community or the software owner. When it comes to software try to check the OS of the software as well as if you used any software in your website, then must check it should be latest version, as outdated functions also become vulnerable for website.
Check if your hosting company update the server regularly. Sometimes they will offer that service as premium service or part of the hosting package, but this would be very helpful. If the server security is managed by hosting, company you should only take care of third party API or CRM, to check for the updates when any update releases.
To handle dependencies, developers who are using composer, npm and packages ensure that all dependencies are up to date and try to enable automated notification feature when any new updates are released.
SQL Injection attacks happens when the website form is submitted and passes parameters in the URL, hackers takes access and manipulate your database with malicious content and inject malicious script in the database. Because it is easy to modify your query and get access to delete or modify your data, but you can easily prevent this by using PDO connection because this feature is supported by all technologies. Parameterized queries are more secure then normal SQL queries.
Consider following query :
Select * from table_name where column_name = ‘”+ value +”’ ;
If attacker change the value like 1 = 1 , then the query changes and it will inject our database , query looks like :
Select * from table_name where column_name = ‘ ’ OR 1 = 1 ;
1 = 1 will allow attacker to add extra query at the end that is also execute with the current query and harm our data.
You can fix this issue by implementing PDO connection in our website, to execute the queries. PDO is parametrized query so no one can add extra stuff to the query so in this way you can prevent from SQL injection.
XSS stands for Cross Site Scripting and these attacks are common, which generally happens via comment box of blog and forum discussions. Attackers write malicious script and adding that to comment box and submitting that script. By using this script attacker can add unwanted data to the pages.
If the page with following code run in the browser and get the alert box with the text, (for example:- We got access…), it means your website are vulnerable.
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%3Ealert(%E2%80%98We%20got%20access...%E2%80%99)%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<script>" title="<script>
You can easily prevent from this type of attacks by using validation in comment box or discussion form, that is apply on client & server side validation which will sanitize your input then submit the user data. Another powerful tool in the XSS defender’s toolbox is Content Security Policy (CSP).
Use strip_tags() and htmlspecialchars() to sanitize input and output of the pages. With the help of this you will be secure from XSS attack.
Always try to validate your website by client side validation and server side validation. If we add both type of validation on websites it will be more secure. Browser can only check for client side validation, this is the validation that attacker can easily bypass. So for the security reason its recommended to add server side validation and try to make both validations as same. It will be difficult to bypass all the validations and we can create more secure webpages. Validations is considered as a backbone of any website, if we have secure validation then it’s impossible for anybody to reach to our database and harm our data.
For security purpose always use strong validations.
It’s strongly recommended to use HTTPS protocol instead of HTTP, as it provides security over internet. HTTPs takes care of your request and also make sure that nobody else can interrupt your request. If you are passing personal information over internet then its strongly recommended to use https protocol. Also if you have payment gateway on your site or having ecommerce site, then https protocol is almost a requirement.
Public key and signed certificate are required for https. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities of request.
Following case where you can use https :
1. Banking website
2. Government data website
3. Payment gateway or E-commerce
CSRF stands for Cross-Site Request Forgery, it is known as one click attack, session over riding.
When a user is logged onto the website and if it’s not protected with CSRF, then hackers can override the user’s session and get access to their connection/session. With the help of sessions, hackers can add malicious content, phishing redirection and irrelevant stuff on the website.
To prevent from CSRF attack, generate random token and save it in session and add it in hidden field of your file then validate it on every request. For every request it generates news token and validate and if your token matches then only it will be submitted otherwise not. Because hacker don’t have access of token in hidden form field, so your request will be safe.
Always use framework like PHP (Laravel, CodeIgniter etc.) for your development as it provides in built support of CSRF.
1. Logout website when not in use
2. Use strong password
3. Shorten the time of remember me
Cookies are mainly used in website development for faster access when there are follow-up visits from users. After user accepts cookies, websites start loading faster as data is retrieved from stored cookies. But most of developers don’t know how to present or use the cookies in secured way. So, hackers can easily access cookies and replace them with bad content as you have not used secured cookies.
Set the secure cookie for single domain like following :
setcookie( name, value, expire, path, domain, secure, http only);
setcookie( 'cookie_name', 'kuldeep', 0, '/', '.example', false, false);
// Locked your cookie for domain only
setcookie( ''cookie_name', 'kuldeep', 0, '/blog', 'www.cmsminds.com', isset($_SERVER["HTTPS"]), true);
For enhanced security the value you are adding in cookies can also be encrypted, so generated cookies will be more secure. This cookie is for the single domain only.
Hackers can hack the website anytime and at any stage of development and earn from your website, so ensure sure that you are ready for this challenge. We are the leading PHP development company in RTP (Research Triangle Park), NC, USA. If you’re a website owner and you’re not sure how secured your website is, we can do an audit to help you see if there are possible vulnerabilities. Connect with one of our team members at email@example.com
Autoload & PSR In PHP