Websites have been around for a long time. As have hackers. Nobody is a stranger to either of them. It, thereby, makes sense to ensure your code, which is fed by endless hours of hard work and neck pain, is not exploited by someone.
As a fellow developer, I can relate to the same and hence thought of sharing a few basic security measures that will definitely make your website less susceptible to hacking efforts.
- Install a security certificate on your domain (Some don’t even require money): Having a security certificate relieves you of the woes that snoopers come bearing. Most snoopers will be unable to get passwords or any information (transmitted from client’s machine to server) once you have a security certificate on your domain. Moreover, you should redirect all HTTP:// traffic to HTTPS:// to ensure that an encrypted channel is always used for cookies and other transfers of data between the client-side device and the server. I’m sure you’re still stuck on the ‘don’t have to pay’ part. You can easily get a Let’s Encrypt security certificate from their website or could get one from Certbot if you have shell access.
- Captcha for bots: It’s definitely annoying when you excitedly open a response to your ‘Contact Us’ form only to realise the user’s email is firstname.lastname@example.org and they want to say “asdj kkn out wgrywanie u9789 ” to you. Jokes aside, it is important to have Captcha on all your forms to prevent malicious bots from spamming your website. I personally recommend reCaptcha by Google which takes the need to process away from your server and solely rests that responsibility on Google. All you have to do is verify the response and Viola! you now know the user is a human and not a bot spamming your website.
- Sanitise and Filter the user inputs: Make the preg_replace() [inbuilt PHP function] function your best friend. It’s one of the most flexible ways of filtering user inputs. The most common application of this is $string = preg_replace(‘/[^A-Za-z0-9\-\/\(\) ]/’, ‘ ‘, $string). Using this PHP function means that anyone wanting to make changes on the back-end to your website, without even having access, cannot. As scary as that can be, these risks can be avoided with simple instructions.
- Never Trust GET or POST data: This follows a similar vein as Point 3 where you should never trust the user. All input data is to be treated as malicious code. For instance you have 3 services which follow the URL tag example.com/service.php?name=service1 or example.com/service/service1 and using the slug(“service1”) you put the of the page as Service1 (simply capitalising the first letter). This is a very bad situation as someone can easily change the URL to example.com/service/ to check if they can run scripts on your server and when an alert box will open up, they will run more harmful scripts. Therefore it’s not only important to sanitise your GET and POST variables, but also necessary to check them if they correspond to a valid page or in this case to either “service1/2/3”.’
- “Required”? I don’t think so: While validating a form on the server end, always verify the if a “required” variable is actually received because it’s easy to edit the HTML code and move that tag. Removing the required tag will actually serve as a bug solution in some cases of locally setting up a website for Magento 1.
- Parameterised SQL Query: Make sure all your SQL queries are parameterised. This is your one-stop shop to prevent SQL injections. Incorporating this SQL query should be incorporated early on and you should make it a mandatory practice. A user can write an SQL query as an input and this will be executed unless it’s converted to a string (which is what parameterisation enforces). Follow this thread on Stack Overflow gain more insight into the same.
- Always #: Any sensitive information which is shown on the client’s side should be hashed. This includes login information storer which is not a-z, A-Z, 0-9, ‘-‘, ‘/’,'(‘ or’)’ should be replaced by single quotes (‘‘) or no space. To restrict it for slugs, remove the hyphens and the round brackets and you’ll be good to go.Use this friendly tool to check your regex expression before implementation. This is also valid for file uploads where you must check the type and size of the file before uploading it to a server.
- Add X-Security Header in your .htaccess: XSS, Page Framing and Content Sniffing are major security risks. These techniques revolve around running malicious scripts on your server by exploiting security vulnerabilities. Add the following lines of code and you’re good to go.
- Secure your cookies: If your cookies are being generated using an http request, a malicious user can run a TRACE request along with XSS and get the cookie information. However, if you’re following the steps mentioned which include forcing HTTPS and hashing your cookie data you’ll be A-okay. But being doubly secure never hurt anybody. Follow the accepted answer on this thread and now you’ve secured your cookies and will be good to go with nothing to worry about!
Adding security features to your website, is an ever-evolving process, credits to the advancing technologies and advancing mechanisms to hack. These are some measures that have helped me along the way.