With over 25 years of experience in mitigating cyber risk for organisations throughout the UK, our team of experienced and highly skilled security experts and penetration testers often find the same common security issues on websites when carrying out web application testing. This means that we know how to secure a website effectively.
In this post, we share with you eight ways how to secure a website, minimise the risk of security breaches, protect your website from hackers and secure your customer’s data.
Protect Your Website – Install an SSL Certificate
A Secure Sockets Layer (SSL) certificate encrypts data exchanged between the client and the website. This includes data such as your customer’s credentials and/or bank details. Therefore, SSL Certificates are essential if there is any sensitive information passing through the website.
SSL Certificates are also necessary when considering search engine optimisation. For example, Google and other search engines favour websites using HTTPS rather than HTTP in search results and will discourage website users from visiting sites that do not have an SSL certificate installed.
There are a few ways to install an SSL certificate:
- Use a website builder that includes SSL in the configuration, such as ‘wix.com’
- Use ‘letsencrypt.org’ to generate a free SSL certificate. This is an automated process and reduces the complexity of installing a certificate.
- Some hosting websites will include an SSL certificate bundled with their service.
Website Security 101 – Keep Software Up To Date
Websites have outdated software containing known security vulnerabilities, however this security risk can be avoided. Carrying out regular software updates and ensuring that you are using the latest version of the software will typically remediate these issues by installing security patches and increasing your website security.
Some content management systems such as WordPress allow the website admin to automate updates. This issue is not limited to content management system (CMS) vulnerabilities where the update process is automated.
Another usual suspect is old versions of jQuery libraries with known vulnerabilities. Regular checks ensure that the libraries have not had a vulnerability published, affecting your website. This applies to all software in use by the website. Install security plugins on a WordPress site to enhance security.
Implement Security Headers
Security headers are a simple and effective way to protect against many common vulnerabilities such as Clickjacking, Cross Site Scripting (XSS), CSRF, etc.
Based on the OWASP’s best practice guide, these are the recommended security headers along with the proposed best practice values.
|Header Name||Proposed Value|
|HTTP Strict Transport Security (HSTS)||max-age=31536000 ; includeSubDomains|
|Content-Security-Policy||default-src ‘self’ data:; object-src ‘none’; child-src ‘self’; frame-ancestors ‘none’; upgrade-insecure-requests; block-all-mixed-content|
How to Secure a Website – Implement a WAF
A WAF or Web Application Firewall works by examining the HTTP traffic between the internet and the web application. Typical attacks that WAFs help prevent include but are not limited to: XSS, CSRF, DDoS and SQLi. This works by sitting in front of the website, so the client must pass through it before reaching the server. WAFs can be set up using different policies to defend against all types of malicious actors.
There are three different types of WAF available:
- Network-Based – This is hardware-based. This is typically the fastest due to its proximity to the server and is typically more expensive and generally suited to large organisations with heavy website traffic.
- Host-Based – This is similar to the hardware WAF. However, it is run through a virtual machine and is more versatile than the hardware WAF as it can be deployed to the cloud. But, it suffers from higher latency due to it not having close physical proximity.
- Cloud-based – A service provider manages the cloud-based WAF. The main advantage is simplicity and no maintenance required.
Secure your Website by Stopping Data Breaches – Stop Leaking Information
Your website might be leaking information to potential threat actors. Commonly, websites reveal information in two areas – the response headers and the error pages. Information leakage can give a hacker information that they otherwise would not easily acquire, needlessly increasing the threat surface of a website.
The response headers
Sometimes websites contain information about the technology in use via the response headers. These headers are typically:
These must be removed as they provide attackers with valuable information.
The error pages
Error pages, similar to response headers, can give information such as version numbers to an attacker. This may result in the attacker getting a better understanding of the website’s attack surface.
When an error page is displayed to a low level or unauthenticated user, it should be adequately sanitised and only show generic information that will not result in unwanted information leakage to protect your website further.
Secure your Website by verifying File Permissions – Don’t Allow File Uploads
Allowing file uploads is dangerous. There are all kinds of malicious code and payloads that a threat actor could upload. If possible, it is best to avoid having an upload feature. Additionally, if your website requires one, then there are some steps you should take to ensure it’s secure and enforce your file permissions:
- Only allow certain file types
- Verify file types are correct
- Ensure input validation is in place
- Ensure that the error message is generic and doesn’t leak information such as file location
- Remove embedded threats
- Random uploaded file names
- Scan uploaded files with an antivirus software
- Set restrictions on file size and filename
- Only allow uploads from authenticated users
- Store files outside of the web root folder
Creating a secure file upload feature from scratch can be tricky. If there is no requirement to create your own, you may want to consider using a third-party system such as Filestack, which comes rebuilt with good security features.
Backup Your Website
You should implement a backup feature to your web application. For example, if a malicious actor exploits your website, you may want to revert your website to its previous state.
Ideally, you want to backup your website once a day or once a week. The more often, the better. Many CMS solutions come with built-in backup options. This gives multiple layers of security should something happen to the website.
Secure your Website by Enforcing a Strong Passwords Policy
As more services move online and more sensitive data is stored on the internet, it’s important that your website has a strong password policy. Individuals who use the same password or weak passwords increase the risk of a data breach.
The following steps will ensure your password policy is adequate:
- Password must meet at least three out of the following four complexity rules –
- at least 1 uppercase character (A-Z) at least 1 lowercase character (a-z)
- the minimum of 1 digit (0-9)
- at least 1 special character (punctuation) – do not forget to treat space as special characters too
- the minimum of 10 characters
- at most 128 characters
- not more than 2 identical characters in a row (e.g., 111 not allowed)
Encourage users to use a password manager when concerned about remembering lengthy passwords. This helps them to save their passwords securely across multiple accounts.
To learn more about our testing services, visit www.sapphire.net/penetration-testing/