There are so many aspects to consider in making you web application secure. The Open Web Application Security Project (OWASP) have compiled a comprehensive list of known security issues and methods to protect yourself against them.
Some of the basic precautions you can take include:
Password Hashing
Almost everyone build a web application that requires users to login with a username and a password. The credentials are stored in the database and retrieved when a user logs in.It is important that you properly hash passwords before storing them. Password hashing is an irreversible, one way function performed against the user’s password. This means you can compare a hash against another to determine if they both came from the same source string, but you cannot determine the original string. If passwords are not hashed and your database is accessed by an unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password for other services. Therefore, it is important to take security seriously.
Sanitization
Sanitization is a way of ensuring that illegal or unsafe characters are removed from foreign input.For example, you should sanitize foreign input before including the input in HTML or inserting it into a raw SQL query. When you use bound parameters with PDO, it will sanitize the input for you.
Data Filtering
Its is very bad for any app to accept foreign data without doing checks on it. So make sure you sanitize and validate foreign input before accepting it to you code.While foreign data can be stored, combined, and accessed later, it is still foreign input. Every time you process, output, concatenate, or include data in your code, ask yourself if the data is filtered properly and can it be trusted. Data may be filtered differently based on its purpose. For example, when unfiltered foreign input is passed into HTML page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and can be a very dangerous attack. One way to avoid XSS is to sanitize all user-generated data before outputting it to your page by removing HTML tags with the
strip_tags function or escaping
characters with special meaning into their respective HTML entities with the htmlentities
or htmlspecialchars functions.Validation
Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a phone number, or age when processing a registration submission.Error Reporting
Error logging can be useful in finding the problem spots in your application, but it can also expose information about the structure of your application to the outside world. To effectively protect your application from issues that could be caused by the output of these messages, you need to configure your server differently in development versus production (live).Configuration files
When creating configuration files for your applications, best practices recommend that one of the following methods be followed:- It is recommended that you store your configuration information where it cannot be accessed directly and pulled in via the file system.
- Information in configuration files should be protected accordingly, either through encryption or group/user file system permissions
No comments:
Post a Comment