Website security checklist ! Once your website is live, website security is critical issue everyday. Here are some quick tips to prevent common website attack. 1. Always use up to date software May be it seem obvious, ensuring all the software up to date is critical to your website. From server OS to website CMS, forum they should be always updated to latest version. 2. Prevent website from SQL injection Attacker may use form field or URL parameter for gaining access to your database embedding some rogue code into your query. Using this trick, attacker may alter your database table, retrieve information and even delete tables. To prevent this you should always use parameterized queries 3. Prevent Cross site scripting (XSS) Attacker may run JavaScript or other script on your website through form to run malicious code for your website visitor. So before storing form submitted data you should encode or strip out any HTML code present. 4. Server side validation/ form validation You must validate form both in browser and server side. Since the browser side is for better user experience but it is can be easily bypassed simply by disabling JavaScript on browser setting, So deeper server-side validation should be made 5. Password Enforce user to use complex alphanumeric password with symbol and upper-lowercase character. On your user database password should be always stored in encrypted string. Since this password can’t be decrypted even if attackers get access to your website database they can’t get the user’s login credential 6. Validate file upload Allowing users to upload file is always a great risk, you must validate the files before uploading it to the server. You can restrict file size, file extension and mime type allowing only some specific type of file to be uploaded. You should also restrict direct access to uploaded files on the server.
7. SSL SSL certificate encrypt your website traffic over internet preventing your user’s information being sniffed. If your website uses personal information and monetary transaction then you must use SSL certificate which will encrypt these personal information while interacting on the website so intermediate attacker won’t be able to capture and use it. 8. Give generalized error message then specific message While giving login error always give generalized error message like ‘username or password is invalid’, never print a specific message like ‘username is wrong’ or ‘password is wrong’ otherwise hackers may try brute force attack and when your website gives one only one field is wrong then hacker will be concentrate on another field making your website more hackable. 9. Penetration testing After you have done all the necessary changes on the website, it’s time to check hidden backhole on the website. There are number of free/ commercial penetration testing tools available. You can use tools like Netsparker, OpenVAS for testing and debugging your website.