Hi,
Developing a website is not as easy as it may look or sound. Every time you write a code you need to keep two things in mind. Most important performance and security. In my earlier posts(also see compression and caching) I had discussed about performance. In this I will explain the most common security failures in a life of a programmer.
To start with, no one or nothing can teach you how to create a hack proof system. Here is the fact. Everything is hackable, every security can be breached. But what best you can do is to mislead the hacker. There is always someone somewhere who knows more than you, and can break into your system. So the best plan is to stick to few basic rules.
HTACCESS - Security
1. Never use actual URL's.
Always try to mask the URL using htaccess. For example you have an image:
<img src="img/logo.jpg" /> now, instead of "img", keep the "logo.jpg" in some other directory with a name not easily identifiable, such as "assets/image_lib", where assets is a directory and images_lib the subdirectory. Now to make "images/logo.jpg" point to "assets/image_lib/logo.jpg", create a .htaccess in root directory with the following URL rewrite:
RewriteEngine on
RewriteRule ^img/(.*).(jpg|png|gif|jpeg)$ assets/image_lib/$1.$2 [L]
2. Forbid Directory
Even if someone gets to know the actual directory, prevent from seeing the content of the directory, for this create a new .htaccess file inside the directory whose access you want to forbid with the following:
Options -Indexes
e.g. I have a path "http://localhost/directory", with the following output:
In the above the server will give an error page every time any one tries to access a web page whose IP address does not belongs in any of the sets of ###.###.###.###. This is basically the IP of the computer from where the admin will generally login from. You can add as many IP you want to the list. Apart from that all IP's will be blocked.
DATABASE - Security
1. Encrypted Password
Whenever you are storing password, it advisable to encrypt the password and store in the database. In that case even the developer who has designed the database won't get to see the password of the registered users in the site.
2. Server in Remote Location
Try not to use the hosting server as the database server. Keep your database and files in different servers. If you don't, it is a matter of minutes that anyone can get the IP of your database. e.g. you have hosted your files in a server under the domain http://www.my_website_name.com. Now the same server has the database. All the user has to do is run a "ping" command as:
ping -t www.my_website_name.com and the console will return the IP address. Now half the job for hackers is done by that.
That's it for now, but stay tuned for more updates on website security including PHP based security, SQL injection and lot more.
Developing a website is not as easy as it may look or sound. Every time you write a code you need to keep two things in mind. Most important performance and security. In my earlier posts(also see compression and caching) I had discussed about performance. In this I will explain the most common security failures in a life of a programmer.
To start with, no one or nothing can teach you how to create a hack proof system. Here is the fact. Everything is hackable, every security can be breached. But what best you can do is to mislead the hacker. There is always someone somewhere who knows more than you, and can break into your system. So the best plan is to stick to few basic rules.
HTACCESS - Security
1. Never use actual URL's.
Always try to mask the URL using htaccess. For example you have an image:
<img src="img/logo.jpg" /> now, instead of "img", keep the "logo.jpg" in some other directory with a name not easily identifiable, such as "assets/image_lib", where assets is a directory and images_lib the subdirectory. Now to make "images/logo.jpg" point to "assets/image_lib/logo.jpg", create a .htaccess in root directory with the following URL rewrite:
RewriteEngine on
RewriteRule ^img/(.*).(jpg|png|gif|jpeg)$ assets/image_lib/$1.$2 [L]
2. Forbid Directory
Even if someone gets to know the actual directory, prevent from seeing the content of the directory, for this create a new .htaccess file inside the directory whose access you want to forbid with the following:
Options -Indexes
e.g. I have a path "http://localhost/directory", with the following output:
Now after I created .htaccess with "Options -Indexes" in it this is what I get:
But you can still access the file as:
3. Protecting your admin area
Most of the time it is advisable not to keep your public site and the admin site in the same directory, rather create a separate URL for the admin to login. But even after that if anyone gets access to that URL, you can prevent end users to access that directry. This can be done either by using windows authentication, or by creating a .htaccess file in the root directory of the admin area with the following:
<limit GET>
satisfy any
order deny,allow
deny from all
allow from ###.###.###.###
allow from ###.###.###.###
allow from ###.###.###.###
require valid-user
</limit>
In the above the server will give an error page every time any one tries to access a web page whose IP address does not belongs in any of the sets of ###.###.###.###. This is basically the IP of the computer from where the admin will generally login from. You can add as many IP you want to the list. Apart from that all IP's will be blocked.
DATABASE - Security
1. Encrypted Password
Whenever you are storing password, it advisable to encrypt the password and store in the database. In that case even the developer who has designed the database won't get to see the password of the registered users in the site.
2. Server in Remote Location
Try not to use the hosting server as the database server. Keep your database and files in different servers. If you don't, it is a matter of minutes that anyone can get the IP of your database. e.g. you have hosted your files in a server under the domain http://www.my_website_name.com. Now the same server has the database. All the user has to do is run a "ping" command as:
ping -t www.my_website_name.com and the console will return the IP address. Now half the job for hackers is done by that.
That's it for now, but stay tuned for more updates on website security including PHP based security, SQL injection and lot more.
Very Nice Blog..
ReplyDeleteThanks Hasan.