Common Website Security Pitfalls
Website security is crucial for maintaining the trust of your customers and vendors. Your website may have security issues that are not immediately apparent.
Outdated or Unpatched Software
A chain is only as strong as its weakest link. Any software involved in your website will contain, at best, 3 to 4 errors per 1,000 lines of code. Typically, updates and patches are made to correct errors in software code. Keeping any software related or connected to your site updated and patched is vital.
Cross-site request forgery or CSRF involves a third party tricking a user into performing unintended actions. Examples include requests sent to web applications through the victim’s browser, which is authenticated with a banking, email or social media website. Automatic authentication may need to be phased out in favor of slower but more secure access options. You may also make one-time authentication optional, or require re-authentication on a recurring basis.
Unauthorized Script Addition
Cross site scripting or XSS is when a malicious user places code into your website, in order to exploit a weakness or steal user data. Even altering your email forms so they send spam emails to others instead of inquiry-related email to you can cause your server and email address to be flagged. Every user input must be validated and every action logged, in order to reduce the likelihood of this happening. Further, errors that are intentionally or accidentally triggered must be as hidden as possible, so the inner workings of your website are not revealed for potential exploitative use.
A SQL injection attack is when a user inserts malicious code into a web form that can erase, commandeer or even steal your database. Transact SQL in its standard form is most vulnerable to this form of attack. SQL injection can be reduced by using parameterized queries, which limit what can be inserted into a web form by pre-selecting the action to be performed and allowing the user to only input a small amount of parameter-based data.
Information provided in error messages can open your website to attacks. Accidentally sharing database passwords, API keys or exception details in an error message must be avoided. The easiest way to fix this problem is to share absolute minimum amounts of information on any error messages, and to thoroughly investigate any bugs that may result in a website error.
Questions about keeping your website secure? Reach out to MyMobileLyfe today!