Website security is a fascinating subject. Individuals, organizations, and entire governments are at stake here. Top-class security is a must-have for all websites. Imagine the website of an international bank goes down for example. We're talking several billions of dollars and people's data being at stake here.
For this reason, individuals, companies, and even countries spend massive amounts of money to ensure their sites are protected at all times. Sometimes, it might seem like a lot of work, but trust me when I say, "Prevention is better than cure!"
Let's take a look at some security features every website should have;
First off, what is hotlinking?
One website uses another site's resources to host their assets on your site. I know right, completely despicable! If it's your site that's being hot-linked, your website's resources are being used by this other site. Now, have it in mind that you pay for the resources you use when it comes to websites. So basically this other website is using your resources, without your consent, for their gain. See why it's bad?
So how does one implement hotlink protection? There are many ways to go about this. Here are some you can try;
Part of the reason most software rolls out new updates is that new vulnerabilities are found every day. Hackers and even bots keep finding loopholes and vulnerabilities regularly, creating the need for newer, more secure software.
Keeping this in mind, you need to update all versions of the software and plugins that you use. It is a must. An outdated system is prone to attacks and exploitation from malicious users. The same way you cannot expect an old fence to keep Rome safe is the same way you cannot expect old systems to protect you from modern, more refined cyber-attacks.
We all know that feeling. We find that one password that is strong and meets all the requirements. This special password also happens to be the one you remember easily. What do we do? We decide to use this password for everything. Every, single, thing!
This might seem ideal to us at first. Why use multiple passwords we'll never remember when we can use one we can remember for all things? We might even get away with it for a very long time. But remember, evil never sleeps! Hackers and bots are scouring the web for their newest prey. They just might find you.
Imagine you hear a rumour that there is a house with a hidden treasure chest filled with diamonds. You hear it's somewhere in a forest. You manage to get your hands on the key to the main door. Now, you also heard all the doors are locked, so you carry an axe with you to break down the rest of these doors. Metal doors might I add. This is a difficult task. You proceed regardless of that fact.
But when you get there, you discover the key for the main door is the same key for all the other doors! It's also the key that opens the treasure chest!
Now imagine you're the one who hid this treasure chest initially and another person was with this powerful key. What if that's your retirement savings right there, hidden in the treasure chest? Now you see why you cannot have one key that opens all your doors.
In the same way, you simply cannot use the same password for every single thing. Especially not for your website.
Also remember, you have to change your passwords regularly to render previously discovered passwords ineffective.
According to Wikipedia;
Take, for example, if a user is signed into a social network, say Instagram. Now, in CSRF attacks, the attacker would craft a link and embed it into the page. When a user clicks on the link, the cookies used by that website will automatically be included by the browser and submitted to the server.
The reason this is so effective is that the web server would think the request was sent by an authenticated user.
These links are usually placed in regions on a web page a user is likely to visit, like a chat section or a profile section. Some of these links are even placed in HTML tags of emails sent to the users.
Some web frameworks like Django provide in-built protection against CSRF attacks. Other ways we can prevent CSRF attacks are;
This targets a website's users simply by injecting code. The attacker injects a malicious code, usually to a client-side script like JavaScript, and allows the attacker to execute scripts in their desired manner.
This vulnerability usually allows an attacker to disguise as a user, to perform actions that the user can perform and to access any of the user's data. If said user has special privileged access within the application, take an admin for example, then the attacker might be able to gain access and control over all of the application's data and functionality.
There are three main types of XSS attacks. These are:
This sounds scary. Luckily, there are ways to combat this;
Content-Security-Policy: default-src 'self'This allows only content to come from the site's origin. The following allows content to be loaded from a trusted domain. The domain does not have to be the same as the one the CSP is set on.
Content-Security-Policy: default-src 'self' sample.com *.sample.com
These are among the many security vulnerabilities that can be exploited in websites. Attackers are always upgrading so more will come out. We need to ensure our websites are secure at all times to prevent data and monetary loss.
In my research for this blog post, I found these articles to be of immense value;
Cover Image by: Pankaj Patel on Unsplash
I also had special help from Righteous Ofuka
Stay tuned for more great content!