Security in fullstack web development
Last week I did a small talk in Hack & Beers event in Lleida to explain my experience in security as a web developer, and I tried to give some advice in how to protect your web projects from attacks. SVT Cloud invited me to give a small talk where I also had the opportunity to meet some security experts (a *lot* more than me) like @Miguel_Arroyo76 and @eduSaoe. Moreover, thanks to Semic for the free beers!
I've divided it into four separate blocks: How to protect your server and network, which things do you need to have in mind when you type the code and manage your databases, some generic and even front-end security advices, and how to protect your own users.
Throught all this years I've been hacked, infected and almost lost an entire database due to online attacks in some of my projects. Thats why I thought my experience would be useful.
Secure your server and network:
- Always use SSL if possible. You can get a free SSL certificate in StartSSL
- Use Secure FTP (SFTP), not the old FTP protocol.
- If you're developing from the outside, consider creating a secure VPN.
- If possible, use only one network service per server.
- Check all file permissions (specially in .php projects)
- Update your server specially if there's any new 0day security fix.
- Subscribe to security newsletters from the software you're using (Drupal, Plone, etc.)
- Define a strong security policy
- Less software means less vulnerabilities
- Use a firewall and a IDS (Intrusion Detection System)
- Control your open ports
A couple of useful utilities to mantain a healthy server:
- Logwatch: Monitors your server logs and sends you a digest
- Apticron: Sends you an email about pending package updates
Secure your code
- Consider using a known and proven framework (Laravel, Django, Pylons, Symfony,...)
- Create a database user and check it's permissions. Don't use root!
- Encrypt passwords the right way. Here's a good link about hashing keys.
- Learn how to avoid Cross-site request forgery (CSRF) attacks
- Learn how to avoid Cross-site Scripting (XSS) attacks
- Beware of SQL injection
- Never trust the client (browser). Check data twice.
- HTML5 has also security risks, check html5sec.org
Don't forget to protect your users from other users
- Block registration of users using disposable email services. Import this list, for example.
- Let users report other users
- Detect and control mass actions (private messages, etc)