I want to share my personal observations and knowledge
relating website security. You can add more by commenting this post.
- Password Encrypted: Passwords and other credentials must be stored encrypted in Database.
- Password Renew: On password renew, don’t send password directly to user email rather send a renew password link or a temporary password (temporary password must be renewed on first login).
- Use strong login credentials: Take alphanumeric passwords from user during registration.
- Using Captch Code: Use Captcha code with register or contact forms.
- Form Validation: Must use form validation before submitting. Use strict validation rules for username, password, emails and phone number.
- Uploading File: Check filetype when uploading. Restrict the user to upload only the asked filetype (e.g. image .png, .jpg, .gif, .bmp) file.
- SQL Injection prevention: Don’t put directly $_REQUEST($_POST, $_GET, $_SESSION) variables in Database queries first need to clean them by built-in functions ( e.g. mysql_real_escape_string() ) to remove any unnecessary characters.
- Querystrings: Don’t User open/readable keywords in your links (querystrings). Better to use them as encrypted.
- Use minimum Javascript code.
- Display Errors: Don’t display errors or notices on live sites. Try to handles all possible errors by your code. (use mysql_errors() when testing but not on live)
- File/directory Permissions: Don’t give Publicly 777(full permission) to any directly or file. Use read-only permissions for files.
- USE of SSL certificate: To encrypt client/server transmission SSL certificate must be used on your website.
- Database user privileges: Don’t give all privileges to a database user. Just try to give necessary privileges when creating database user.
- Database Backup: Take database backup on daily basis pr weekly basis. This will help you to restore your database at anytime.
- Trusted Hosting: Use/buy hosting service from well-known and trusted venders (Go-daddy, Host-gatter, ixwebhosting etc)
