Security in websites has never been more important. Consumer expectations are higher than ever before, placing a huge risk to your brand reputation should your customers data be compromised.
Your technology partner is responsible for keeping your application data secure, so how do Logic+Magic make sure your site remains resilient against the ever-rising tide of complex online attacks, and give our clients the confidence they need to relax and know that everything is protected?
Of course, each project we build is nuanced and always requires specific considerations, however there are foundational best practices we will always implement.
Website security: back to basics
The most critical place to keep secure is between the browser and your website. Prior to Google using secure connections as a ranking metric, SSL as it was, was reserved for e-commerce and transactional sites due to their cost and complexity. Now-a-days, with services like Let's Encrypt providing free secure certificates, running every site through HTTPS is easily done.
When a user navigates to an HTTPS website, the browser initiates a TLS handshake with the server, which involves negotiating the encryption algorithms to be used, authenticating the server through its digital certificate, and establishing a secure session.
This handshake results in the generation of session keys that encrypt the data transmitted between the browser and server, hiding it from prying eyes on open networks on the train, coffee shop or library. As a result, data integrity, confidentiality, and authentication are maintained, protecting customers against eavesdropping, man-in-the-middle attacks, and data tampering.
Going a bit further
The next thing we look at is hardening the server your site is hosted on. Server hardening is the process of securing a server by reducing its surface of vulnerability and is an on-going process. Primarily we implement a variety of best practices and configurations to minimise the risk of unauthorised access, data breaches, and other security threats. Typically, this involves:
Keeping your server up to date
Both the operating system and software on the server will be consistently updated to clamp down on security threats.
Remove unnecessary software
By getting rid of unused applications, you reduce any potential interactions between would be malcontents and your server.
Configuring your firewall
Setting up the server’s firewall to control incoming and outgoing traffic, allowing only necessary ports and protocols.
User account management
Ensure that user accounts have the correct privileges for their roles, as well as ensuring that if using passwords, that the server implements a strong password policy.
File permissions
Set the file permissions to be as restrictive as possible. By doing so, we make sure that they’re only accessible by users who need to access them, restricting attack vectors and data breaches.
On top of this, it is important that these are checked frequently. By having a regular programme of review, you can catch early signs of security degradation and remind people of their responsibilities when they work on the server.
Application design
Implementing robust security measures is essential, but it doesn't eliminate the risk of inadvertently disclosing user information. The application is the major attack surface with many potential vulnerabilities within it, all exposed publicly on the Internet. Our developers regularly review OWASP and keep track of the vulnerability top 10 to make sure we’re mitigating the most popular attack vectors during our development processes.
A new entry in the top 10 for 2021 was Insecure Design. Whilst it’s a very broad concept, it describes that the implementation of business logic, architecture and design patterns all need to be executed in a secure way with consideration made to authentication and data access.
One issue we see regularly when conducting security audits on external websites, is public-facing APIs returning personal information. By requiring proper authentication using technologies such as JWT (JSON Web Tokens) or OAuth applications we can prevent unauthorised access, but that’s not the whole story.
Even with safeguards in place, determined individuals may still uncover sensitive user details without going through the standard authentication process.
Consider a scenario where a user attempts to reset their password but provides an incorrect email address. Normally we want to help users recover from errors as much as possible and whilst it might seem helpful to return an error message stating, “That email doesn’t exist on this platform,” this can unintentionally expose information that an attacker could exploit.
If the system does not return any error, the attacker could reasonably infer that the account associated with that email does exist. This is why many high-profile websites adopt a more cautious approach, opting for responses like, “Check your email for password reset instructions,” which do not confirm or deny the existence of an account. The same principle applies during login attempts; we should avoid explicitly stating whether a password is incorrect, as this could aid an attacker in guessing valid credentials.
Another significant source of accidental disclosure occurs when using sequential identifiers to access resources. Most databases automatically assign unique numerical values to each record, which often includes user data. For instance, if a user logs in and can access their profile information via a URL like /users/1, they might be curious enough to try accessing /users/2 or other user IDs. This curiosity could lead to unauthorised access if proper checks are not in place. While it is possible to manage this risk by verifying user permissions each time a request is made, a more effective solution is to eliminate the need for providing an ID altogether.
Instead, we can enhance security by requiring authenticated users to retrieve their data through a request to /users, where the server validates the provided token and returns only the information associated with that specific user. This not only minimises the risk of accidental disclosure but also helps during integration by ensuring that the only things returned by the URL is of the authenticated user.
So, while we’ve seen that implementing robust security measures is crucial, it’s equally important to consider how we implement business logic, disclose what information exists, and what information doesn’t exist to prevent external factors from learning too much about our application.
Conclusion
Securing your application is not just a best practice, it’s a necessity. Cyber threats are becoming increasingly sophisticated, the average user is becoming more tech savvy, and individuals are becoming more aware of how and where their data is stored. Adopting a proactive approach to security is crucial for protecting your brand and customer trust.
At Logic+Magic we believe that security is an ongoing journey and our commitment to keeping your data secure means we are constantly evaluating and improving our security measures, keeping us ahead of emerging threats.
If you are concerned about the security of your website or application, get in touch. Let our team of seasoned web developers conduct a comprehensive security audit to identify vulnerabilities and develop a bespoke strategy to safeguard your site and customers' data.