As technologies are growing everybody is moving towards website. Desktop app are also getting converted into web and mobile apps are now getting converted in hybrid web app. So you can analyze the future will be on website development. So the website security is a big priority and will be:
Here are some tips to secure your website:
1. Be aware for SQL injection:
SQL injection means someone can hit your db using sql queries by your form fields and may be by url.
To avoid SQL injection use any ORM and avoid writing inline queries in your code.
Us stored procedures and views to play with db.
2. Be aware of XSS attacks:
Create some notifications (email notification, sms notification) to check inserted scripts if any and do alert to your support team ASAP.
3. Use both server and client side validations
client side validations can be skipped easily so always validate on server side.
4. Avoid showing technical messages.
Show minimum messages to user for example "Some technical issue try after some time!", "server not responding properly try after some time!" and so on.
Showing actual error may leak your application and server secretes.
5. Use password encryption
Always store encrypted password and salt password.
Use password policies like asking users to type strong password, set login attempts, send email on each login, ask opt once forget password.
6. Beware of allowing file upload :
Allowing application's users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. It can have executable code and can execute on your serer.
To avoid this kind of hacking you first thing you need to do is, save files with different names and extensions.
Save it out side your application root and use that root to show or download that file.
Don't give execute and access permission to that folder.
7. Purchase HTTPS certificate:
Https is secure server certificate which allows user to transfer data securely between client and server.
It apply some encryption during transmission so no one can hack in between.
There are so many secure data in website these days like user credentials, debit card, credit card info, and other very confidential documents. So these must be encrypt before reaching at correct location.
8. Use some tools which provides website security testing:
There are some free tools which can be use for penetration testing.
These tools have some hacking scripts as hackers do.
9. Use cloud base servers to host your website like Microsoft azure server, Amazone server, icloud and so on
10. Use different server for different levels of your application for example for database use different server, for your application use different server, and for files use different one. It will protect you to not lost in one shot.
11. Do good coding practices and write maximum unit tests.