Open in app

Sign in

Write

Sign in

Make your website secure with these tips

Jayesh waghmare
6 min readOct 15, 2020

The Dot com era was started during 1995. At that time, only languages like HTML,XML,CSS and Javascript were used to code the websites. While SQL-Based Database Management system, and intermediate business logic was written in .NET, PHP or JAVA.During this blooming era of connectivity via websites, there were many potential hackers which took the opportunity to take these websites down with various attacks, or loopholes to be precise.

As web development gained more and more developers, certain practices to secure websites were followed.

Today, Many Frameworks like ReactJS, AngularJS, VueJS, Django, Laravel are used which use MVC- Architecture. Also REST API, SOAP API and GraphQL is followed to harness power of many services. But one thing which remains constant is Security Principals.

While Web Developers are focused on frontend or backend, or maybe full stack web development, one thing that unites them both is securing their sites properly.

These are certain topics which we will be discussing today along with how to avoid them.

XSS [Cross Site Scripting]

It’s a client based attack where an attacker enters malicious code into a website that makes the site corrupt. To perform this attack, an attacker enters some javascript code that makes the site produce some output that was not desired.

credits : google-images

Take this example, where a user or victim is checking some comments after logging in to the website, but as the attacker already added a script in the comment section, this script will be executed while his comment is checked.

This script may send data to the attacker, which maybe password or something else.

How to Avoid this attack?

Sanitizing Inputs.

The only way to avoid such attack is to make sure that your server wont allow malicious stuff like <tags> <script> tags. You can write a function that checks the inputs on server side before it gets stored in database.

When it is difficult to avoid character in texts. You can use convert them to predefined characters. htmlspecialchars() is a function in PHP that uses this method.

What to do when you find such an attack?

Sometimes when you realise that your site has been attack with XSS, delete the data from database which stores the input.

Injection Attacks

Injection attack is a broad class attack where an attacker injects some code in the server which gets executed in the server itself. Injecting javascript code, php code or sometimes sql queries are popular in injection attacks. When the attacker injects a query it is called as sqli — or SQL injection.

In the above example, when the attacker enters a query in place of username, it gets executed.This type of attack is most dangerous because the entire database of the system can be brought down with a single command.How to avoid this type of attack?

Sanitizing Inputs

Preparing statements ( Mysqli and pdo in PHP)

Using ORMs ( Eloquent for laravel OR Sequelize for NodeJS)

Giving only Read/Write permission to database user instead of Read/Write/Delete/Drop

CSRF [Cross-site Request Forgery]

Now you have hosted your site with good security measures but still there are few complains from users that their email id is changed or their password is changed.

How is this possible?

Let me explain..

You made a form to change the email address or to make a payment.The attacker sees the html code from which he gets a gist of POST/GET Request and data you are sending to server to perform an action.

Now the attacker creates a same link with same action url, and an hidden data values and passes this link to the victim

If the victim clicks on this link, an anonymous request is send to the server, if the session is still active, the server responds to the request as if it was send from user and changes the password or makes some payment.

To understand more about csrf attacks, imagine you made a form which submits the value to another server. If the user click on the form, even if he doesn’t know what is going on, he still makes a request to server that can be harmful.

How to Avoid CSRF Attacks?

CSRF tokens are widely used by web developers as a precaution.

In this method, a random token (say abcdef) is generated by server and saved as a session variable.

This same token is used as an hidden data during form submission. ( Request Variable)

Now both Request Variable and session variable are compared with each other. If they are same then it is good to go, otherwise it is a potential csrf attack.

Frameworks like laravel heavily use csrf tokens, in fact they don’t allow forms to work without one.

Never using cookies to store valuable data.

If tokens are stored in cookies, attacker might use them during csrf attacks.Using previous password to change current password. Or some security questions.

Password hashing.

In the first section we learned about how sql injection can cause havoc in database. The attacker might be able to learn about passwords if they are stored as it is without any encryption. Also if the database administration has any evil intentions he might read your password and perform a transaction from your bank account without your acknowledgement.

To avoid this a developer should save hashed password in database. Using powerful algorithms like Bcrypt Algorithm. You can salt your passwords before hashing them.

password_hash() — hashes the password in php

passowrd_verify() — matched the hash without any decryption.

Some other measures — Database protection, FTP, Backups, DDoS attacks, Session and cookies,https.

Database Protection.

Do not give all privileges to the application user

Make sure the admin account uses a secure password

Hash the password before saving them in database

Save your database credentials in .ini or .env files as they are not readable by users.

FTP and SSH

If you are using an FTP account to share files or an SSH account to log in into the server, make sure

You use key pairs ( public and private keys generated with tools like GnuPG) instead or passwords.

Using other ports to log in into the server.

Disable access to other users who connect with passwords

Backups

Backups are most important in web development because if your site is taken down by an hacker you can re-host it with almost no loss

Make sure you back-up your site’s source code

Create a cron job or an automation script to take daily backups from database and store it in zip file.

This ensures that even if you are taken down, you wont lose any data.

Two Factor Authentication

Used by most social media apps as they prevent hackers

Make sure that email is verified and add an extra two factor authentication to protect your web app

DDos Attacks

Even Bigger sites like amazon face DDos Attacks,.

Hackers use Botnets to create a pool of request to server to engage the servers request thread and take down the service

To avoid DDoS Attacks use third party protection like CloudFare Protection

Use a good service provider that takes care of such attacks.

Block Malicious Ip addresses.

If any such attack takes place you can call your hosting provider or file a complaint in the cyber department.

Sessions and Cookies

These are variables that save data during users visit

Sessions are stored in server side while cookies in client side.

Make sure that cookies are encrypted. And sessions are destroyed properly.

Hiding Some vulnerable data

If you are using apache or nginx as a host make sure to hide all the server’s details that they provide.

Switch-off the directory view for html pages

Instead of old school url method ( www.something.com/profile?id=1) use Pretty URL’s (www.something.com/profile/1) They hide your GET request variables.

HTTPS

Use HTTPS instead HTTP to secure the connection. Use openSSL to get a free SSL certificate, or contact your domain provider for one.

Internet
Security
Web Development

--

--

Jayesh waghmare

Written by Jayesh waghmare

0 Followers

A good developer :)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams