Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Secure Your Website, Put Bouncers at the Door (Part 1)

0.00/5 (No votes)
12 Apr 2010 2  
Sure your website by putting bouncers at the door

A good website is much like a nightclub, we want the general population to be able to use the facilities freely (or for a nominal fee!) but we don’t want the trouble makers that will spoil it for everyone. Pushing the analogy further, nightclubs have a few different types of security in place:

VisibilityImplementationMitigates
High ProfileBouncersFilter out trouble makers at point of entry
 Internal SecurityEject people that become troublemakers
Low ProfileBars on Windows
Alarmed Exits
Prevent people sneaking in
 Metal Detectors
Security Cameras
Passively check for people about to cause trouble

As web developers, we have a very similar set of tools that we can use to secure our website:

VisibilityImplementationMitigates
High ProfileInput Validation
(Metal Detectors)
Filters out bad information early
 Authentication
(Bouncer)
Allow members on to the site
 HTTPS
(Bars on Windows)
Prevent people monitoring user traffic
Low ProfileInput Sanitation
(Security Cameras)
Filter out bad requests
 Robots.txt
(Bars on Windows)
Hide sensitive pages from popular web spiders
 Network Segregation and Infrastructure
(Alarmed Exits )
Control access to sensitive information

There’s lots of information out there about configuring the High Profile security measures and Network Segregation and Infrastructure is best implemented by the network specialists (it doesn’t hurt to understand the basics) and these things are generally well implemented.

As web developers, we have to worry about the things that happen inside the website, making sure that the front entrance is the only way in and limiting the damage if someone does get in. So our implementation priorities for any website have to be:

  1. Input Validation – Every piece of information that comes from the client is suspect and should be validated, this includes query string, form fields (even hidden ones!) and cookie values
  2. Input Sanitation - Ensure that any inject SQL or XSS script is neutralised
  3. Robots.txt – It may not be a bullet proof defence if someone’s targeting your site, but at least you can minimise drive-by hacking through Google!
  4. Authentication – Allow only authorised users through
  5. HTTPS – Secure the traffic from client to server

In Part 2, I’ll go over some of the best practises that we can follow, as developers, to make our website secure.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here