4 Tips to Create Secure Website Code
These days data is the new money, and with innumerable new dangers of data theft lurking around the corner, you never know when your website has been hacked. As a website owner, you not only have to think about how to draw traffic to your site but also ensure that your website has not exposed itself to vulnerabilities thereby making it unsafe for users. When you develop your website code, there could be instances when the developer has accidentally written a vulnerability, leading to security loopholes that can attract a variety of malware and unwanted risks.
We bring to you some useful tips that when applied in your code development can help create secure websites:
1. Have a Process to Validate Input
In most applications, you already know what kind of input data the users will provide. So, the simplest way to protect your website from malicious attacks is to ensure that the users can enter only appropriate data. For example, let’s say you have created an application that asks users to enter their birth date. The form should accept only the digits 1-12 in the month field, the digits 1-31 in the date field and the year in YYYY format. You can have such as simple logic in your application and use regular expressions (regex) to handle input validation. Now, if the data doesn’t match your logic and the format you want, it should return an error message of some kind. This ensures that your site will be safe from a possible SQL attack, which is further discussed below.
2. Make Sure to Sanitise Input and Output
You may be the owner of an e-commerce portal or a simple blog site, but you have found that by using various plugins, you are able to add complex new features such as comment spam filters, security plugins, 24x7 online help etc. Today, with free website builders like WordPress, it has become very easy and economical to install and use these plugins. You may be surprised to learn that a popular site like WordPress has over 50,000 plugins in its official plugin repository with over 1 billion+ total downloads. These plugins help users provide a range of functionalities on their WordPress sites, and the code that goes into a Plugin involves a lot of complexity, which makes it vulnerable to bugs and they are usually the easiest route through which attackers can take over your WordPress site.
This doesn’t imply that you should restrict using plugins on your website. However, it’s important for developers to be aware of certain basic principles of writing secure PHP code such as (i) sanitising user input before using it in the application (ii) sanitising output before sending it to the web browser (iii) re-sanitise any data that arrives in your application from an API or data feed because it might contain malicious code (iv) perform checks at data input as well as output.
Sanitisation removes any harmful data and involves steps such as:
• Remove <script> tags from your data
• Remove quotes from an HTML attribute before sending it to the browser
It’s important to sanitise input as well as output because a hacker could have altered your application into creating harmful data for output. So, do check that your output data is void of anything potentially harmful.
3. Prevent Cross Site Scripting (XSS) Attacks in User Input
As the owner of a blog or a forum, you cannot entirely disallow HTML because then it also disallows any formatting. To prevent malicious attacks while allowing simple formatting, you can allow selected HTML tags without any attributes, such as <strong> or <em>. Some sites allow a popular set of tags called “BB Tags”. This way you are allowing some formatting while disallowing anything harmful.
4. Protect Your Site from SQL Injection
The most common attack that happens on databases is the SQL Injection Attack. In such an attack, the hacker can send random commands to your database to either add or update data in an unauthorised way or gain access to sensitive information like passwords or member email addresses etc. This kind of attack is made possible when data is not checked or validated properly and the application doesn’t escape characters used in SQL strings such as single or double quotes. If these characters are not filtered out, somebody can exploit the system by making queries always true thus allowing them to trick login systems.
To prevent such attacks, you can use some tools to protect your database input. For example, when you are connected to an SQL server, you can use protection functions with a simple call, making your variables safe to be used in queries.
Although there are tools to safeguard your database from SQL injection attacks, it is best to have a proper data validation in place while developing your code, as mentioned earlier.
It is very easy for vulnerabilities to creep into your website code if proper checks, sanitisation and validation of data both at the input and output side are not done. The responsibility of building secure applications lies with the developer, who must first be aware of the common types of vulnerabilities and attacks that could harm these applications. We hope the above-mentioned tips will be helpful to you in developing secure website code.
Shwetha Bhat | Blogger