site logoTune The Web
I've written a book! - click here to view or buy "HTTP/2 in Action" from Manning. Use code 39pollard to get 39% off!

Tune Your Security

Introduction

Security is a huge issue for any website running today. The open nature of the web means that it is very easy for your website to be compromised from the other side of the world. Even if you do not think you are a big or important enough to be a target for anyone in particular, hacking an extra website doesn't cost much in time or effort. If you monitor your web server logs close enough you will be surprised at the amount of illegitimate requests every website gets. While the chance of a security breach may be small, the knock on effects to your business and in particular your reputation can be huge and very difficult to recover from.

Securing your website properly can seem like a daunting, never ending, task however there are a number of things you can do which can drastically improve the security on your website, often with little negative effect.

Top 5 Security Recommendations

Here at Tune The Web I'm aiming, first and foremost, to give practical and useful advice that website owners can use. With that in mind I have prepared this top 5 list of security recommendations I think every website should consider as a first step into securing your website:

  1. Keeping Your System Up To Date

    The most important item is to ensure you keep your system up to date. Hardly a day goes by without a new security issue being raised in software in use by nearly all websites around the world. Software vendors are (mostly) very proactive about addressing security issues in their software and often release security patches very shortly after vulnerabilities are found. So the best chance of keeping your system secure is by ensuring you have the most up to date software. Note that this does not necessarily mean running the latest version of software as some operating system distributions work hard on keeping older versions patched as well which allow enterprise systems to be both secure and stable. However in general running latest versions of software is recommended where possible for a number of very good reasons - including security, supportability, performance and to gain access to new features. Even if you are running a hosted site on particular CMS (e.g. Wordpress, or Joomla), you often have the option to upgrade to new versions and should aim to do this when offered that option. The cvdetails.com website lists all the known security issues for most major software platforms and versions. For example is lists the known security issues for the Apache web server.

  2. HTTPS

    Unless you have a good reason not to, you should use HTTPS on your website - for all of your website. In the past implementing HTTPS was an costly process in terms or time, money and performance. However with increases in processing power the performance hit is minimal for most websites. Yes the initial connection will have a small performance hit (though there are methods of minimising that too), however the gains in security make this more than worthwhile. The web is slowly moving towards HTTPS by default and companies like Google are already penalising those sites which remain on HTTP. Having a HTTPS website should be the new standard: it provides security for your website, security for your visitors and also instills trust in your company and brand. Learn more about HTTPS.

  3. HTTPS Setup

    If you already have HTTPS, then it's important to check it's configured correctly. A badly configured HTTPS server is almost as bad as not having any HTTPS at all - worse in some cases depending on how your browsers displays this. There have been many vulnerabilities discovered in SSL/TLS in the last year or two and it's important you are not running insecure configuration. SSL Labs have an excellent free scanning tool where you can type in your website address and it will grade your HTTPS configuration. They even publish a free SSL/TLS Deployment Best Practices document which is kept up to date regularly. Best practice is to make your whole site HTTPS only, and I would also strongly advise you to consider implementing HSTS as well. Learn more about setting up HTTPS properly.

  4. HTTP Security Headers

    If you are hosting your own web server, or have access to your web server configuration, then there are a number of HTTP security headers you can set to secure your website. HTTP headers are sent back by the web server for every request and tell web browser exactly how the resource that was requested is to be used. There are a number of standard headers, which can switch on various security settings on the browser, restricting and locking down how the user can use your website in the browser. The settings prevent your website being used in the wrong way, which might happen if one of your visitors is hacked and tries to make requests it should not. These HTTP headers, when used correctly, can add a lot of protection for only a small upfront investment to set them up. Learn more about HTTP Security Headers.

  5. Web Application Firewall (WAF)

    A Web Application Firewall or (WAF) is an extra piece of software that you can use to scan your HTTP traffic. Unlike a regular firewall which simply restricts network traffic to certain ports or applications, a WAF aims to inspect the actual contents and apply some rules to decide of the call should be allowed through. This can be necessary as web servers are now much more than just static billboards advertising your wares. With more complex applications on the web (from e-commerce, to online banking, to customer portals), the HTTP protocol can give a lot of access to data and systems and the extra layer of protection it can provide can help ensure that application and underlying data remains secure. Installing and managing a WAF is not a simple thing, and it can take considerable time to set up, and maintain going forward. However it is worth considering if you run complex applications on your website that require the level of protection they offer. Learn more about Web Application Firewalls.

Summary

Security is a complex issue, and is not something that can be summed up in a quick web post like this. The aim of this page is not to provide in-depth security details, but to give some basic settings that all websites should look at. Depending on what you use your website for, a full Penetration Test (aka Pen Test) by an dedicated security company may be appropriate. They can be expensive (price is usually measured in thousands of euros/pounds/dollars). All the above issues should be examined as part of any Pen Test so it is good to get these issues addressed before any scan so they can spend the time concentrating on the more specific issues for your site rather than this general advice.

This page was originally created on and last edited on .

How useful was this page?
Loading interactions…