17 Mar How to Secure Your Website and Protect Your Customers in 2020
When it comes to hosting your site, many customers believe the hosting provider will take care of everything including website security. However, in most cases, the vendor operates using a shared responsibility model. That means that the hosting company takes care of some of the responsibilities, but not all.
Cybersecurity is not covered entirely by most public hosting providers. In this article, you will learn about the most common security threats, and how to secure your website from hackers and other malicious threats.
The Most Common Online Security Threats
The first step in ensuring that your sites and customers are secure is to understand the threats you are facing. If you do not understand what you need to protect against, you cannot implement effective protections. Below are the most common vulnerabilities you are likely to experience.
Using vulnerable components
Anytime you incorporate outside components into your site, you are potentially introducing vulnerabilities. Unfortunately, you cannot completely avoid this risk since almost every tool or application you use sources outside components. Some of these components are bound to be vulnerable.
The vulnerabilities present in these components put you at risk for many of the other vulnerabilities covered here. One well-known example of this is the Apache Struts vulnerability. Even though this vulnerability was announced and patches made available, it continues to present a risk for many organizations.
Web scraping is the use of bots to collect site content or user data. This information is then presented by others as original content or sold for analytics or marketing purposes. For example, attackers may use bots to scrape pricing information, enabling buyers to consistently underbid you.
Code injection takes advantage of poor input validation measures to manipulate back-ends or run malicious scripts. With it, attackers can gain access to your data and systems. They can also modify or obstruct your services, denying access to users or implanting malware.
Cross-site request forgery (CSRF)
CSRF is used to trick user clients into performing malicious actions. For example, changing passwords, transferring funds, or providing session data. This is also sometimes referred to as XSRF or session riding.
Sensitive data exposure
Website access requires the transfer of data across the Internet, which creates an opportunity for data to be intercepted. If you are not using encryption or secure protocols there is little to stop attackers from accessing or modifying data. This includes location data, financial information, and personally identifiable information.
Backdoor attacks use malware to bypass authentication or other security services. This malware is often included or inserted into otherwise legitimate remote access routes. For example, those provided to employees or third-party contractors. With backdoors in place, attackers can access your systems and assets unimpeded.
Misconfigurations and human errors are a major source of risk in any system or site. This includes the use of default credentials, lack of access restrictions, misconfigured HTTP headers, and verbose error messages.
Cross-site scripting (XSS)
XSS attacks intercept traffic to redirect users to a target, typically a malicious site. This can be accomplished via an implanted link or function in an application. These attacks can even redirect from one site to another which has been compromised, removing the need for attackers to host a site of their own.
How to Secure Your Website
Once you understand the risks that you need to manage, you can begin protecting your sites and customers. The following practices are a good place to start.
Keep your website up to date
Keeping your site and servers up to date is one of the most important steps to take. This is particularly true if you are using components with known vulnerabilities. If a patch is available, there is little reason why an attacker should be able to exploit an issue.
When updating, make sure to account for patches made available from your hosting service as well as from any components or applications you’re using. You also need to ensure that any security certificates you’re using are valid and up to date. This helps ensure that your customers remain safe.
Choose a secure hosting service
The security of your website host directly affects the security of your site. Before selecting a host, you should take the time to verify their security policies and procedures. You should also try to find hosts that provide disaster and data recovery options, such as automated backups or regional duplication.
Use secure protocols
Whenever possible you should be using Hypertext Transfer Protocol Secure (HTTPS). This protocol ensures that data is encrypted and reduces the risk of request interception. It is a necessity for any site that transfers private information, such as financial or medical data.
Restrict file uploads
While there are many valid reasons for users to upload files, file acceptance also creates an opportunity for attackers to upload malware. To prevent this, you should restrict who can upload files and what types of files you’ll accept. You can also set up sandboxes for file acceptance to ensure that files are scanned and verified to be safe before transfer.
Always hash passwords
If you have a login mechanism you need to ensure that any passwords you store are hashed. This ensures that even if an attacker gains access to credential databases they will have a difficult time accessing password information.
Use web application firewalls (WAFs)
WAFs are firewalls that monitor and filter traffic between web applications and the Internet. These tools can protect your site from automated traffic and known malicious IPs. WAFs can also help you avoid direct denial of service attacks aimed at crashing your site.
Manage your server configuration files
Server configuration files provide information defining how your server operates, including any security settings you have in place. If an attacker gains access to these files they can completely control access to your site. To secure these files, you need to ensure that access to your root web directory is secured as this is where config files are typically stored.
Cyber attackers target websites on a daily basis, using a wide range of attacks. Common attacks that target websites include exploiting vulnerabilities, web scarping, code injections, CSRF, exposure of sensitive data, backdoor attacks, security misconfigurations, and XSS.
You can secure your website by keeping your site updated, adding cloud security services to your hosting packs, using secure protocols, restricting file uploads, hashing passwords, adding WAFs, and properly managing server configuration files. Remember to always get peer feedback and counsel with experts when needed.
Image by 200 Degrees from Pixabay
Author Bio: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. You can reach him on LinkedIn: