Protect your Web site

Preventing intrusions

Here are some common sense practices to help you protect your Web site and its content from intrusions, theft, and defacement.

• Correctly secure your Web server
  
  
• Update and patch your Web server software to help prevent exploits of known security vulnerabilities.
  
  
• Protect the password used to update your Web site. Use secure software when logging in to the account tied to your Web site. For example, use SSH or Kerberos for shell/terminal connections, and SFTP or Kerberos-based FTP for file transfer.
  
  
• Use Secure Sockets Layer (SSL) when data integrity and encryption is needed. Obtain a SSL server certificate from a well-known Certificate Authority such as Thawte.
  
  

Controlling access

Here are some tips for controlling access to content:

• Use Pubcookie to password protect access to content when you audience consists of people with UW NetIDs.
  
  
• Control access to restricted content using names and passwords rather than imposing less secure restrictions based on host names or IP addresses.
  
  
• Require the use of SSL to protect passwords used by visitors to access restricted content.
  
  
• When using passwords to restrict access, assign a unique name and password to each user, rather sharing a single name and password among all visitors.
  
  
• Create a good initial password for users. If users are able to change their assigned password, enforce a policy of requiring good passwords.
  
  

Developing safer interactive sites

Tips for developing interactive Web sites:

• Familiarize yourself with Web security issues before adding interactive elements to your Web site.
  
  
• Link to remotely hosted tools, such a Catalyst tools, to off-load security risks from your Web server. This is a good way to take advantage of the work done by others.
  
  
• Obtain 3rd-party tools, scripts, and Web-based packages from reliable, heavily-traffic sources such as resourceindex.com
  
  
• When installing 3rd-party tools, don't take the installation instructions as gospel. Review each step and make sure it applies to your environment. The assumptions made by the developers aren't always correct.
  
  
• If you must implement your own interactive elements, learn about secure programming. Do some research beforehand to learn about common pitfalls such as cross-site scripting attacks, tainted user data, and forms hijacking. See references below.
  
  

Web site security references:

• The World Wide Web Security FAQ
• eXtropia: Introduction to Web Security
• Ten Ways to Protect Your Web Commerce Site

Cross-site scripting references:

• SQL Injection
• CERT advisory on Cross-site scripting vulnerabilities
• Understanding Malicious Content Mitigation for Web Developers
• Cross Site Scripting Info: Encoding Examples
• Preventing Cross-site Scripting Attacks (in Perl)
• HOWTO: Prevent Cross-Site Scripting Security Issues (Q252985) (in ASP)
• Checking Data (in PHP)

UW Technology
Contact Us
Modified: January 5, 2007