Wednesday, 9 October 2013

Website Security Measures

I want to share my personal observations and knowledge relating website security. You can add more by commenting this post.

  1. Password Encrypted: Passwords and other credentials must be stored encrypted in Database. 
  2. Password Renew: On password renew, don’t send password directly to user email rather send a renew password link or a temporary password (temporary password must be renewed on first login). 
  3. Use strong login credentials: Take alphanumeric passwords from user during registration.
  4. Using Captch Code: Use Captcha code with register or contact forms.
  5. Form Validation: Must use form validation before submitting. Use strict validation rules for username, password, emails and phone number.
  6. Uploading File: Check filetype when uploading. Restrict the user to upload only the asked filetype (e.g. image .png, .jpg, .gif, .bmp) file.
  7. SQL Injection prevention: Don’t put directly  $_REQUEST($_POST, $_GET, $_SESSION)  variables in Database queries first need to clean them by built-in functions ( e.g. mysql_real_escape_string() ) to remove any unnecessary characters.
  8. Querystrings: Don’t User open/readable keywords in your links (querystrings). Better to use them as encrypted.
  9. Use minimum Javascript code.
  10. Display Errors: Don’t display errors or notices on live sites. Try to handles all possible errors by your code. (use mysql_errors() when testing but not on live)
  11. File/directory Permissions: Don’t give Publicly 777(full permission) to any directly or file. Use read-only permissions for files.
  12. USE of SSL certificate: To encrypt client/server transmission SSL certificate must be used on your website.  
  13. Database user privileges:  Don’t give all privileges to a database user. Just try to give necessary privileges when creating database user.
  14. Database Backup: Take database backup on daily basis pr weekly basis. This will help you to restore your database at anytime.
  15. Trusted Hosting: Use/buy  hosting service from well-known and trusted venders (Go-daddy, Host-gatter, ixwebhosting etc)

No comments:

Post a Comment