The shiftThe shift

Simple steps to checking your website security

Web security
 by 
Martin

It’s fair to say that when dealing with website requirements from the interested stakeholders, that the issue of security is not often a top priority. Normally, and understandably, it’s the user experience and business objectives that are front of mind. However, with the advent of GDPR and high-profile data breaches from the likes of British Airways and Facebook making headline news, your customers are more concerned about their personal data being leaked than ever before.

Salesforce recently reported that 59% of consumers believe their personal data is vulnerable and 54% don’t believe that companies have their best interests in mind when processing their data. Collecting and using your customer data is a privilege; if you don’t secure it, you risk losing it, shortly followed by your customers’ loyalty and trust.

It’s more important than ever that web security plays a part in the thinking of companies. So why not take 10 minutes to quickly assess your current site?

There are simple checks and changes you can make to improve the overall security of your website. When security changes such as running under HTTPS have a positive impact on search engine rankings, site speed (and in turn conversions and revenue), brands can’t afford to put it at the bottom of the list.

Easy to use online tools are available to help you understand if there are areas for improvement with your site.

HTTPS

The first thing to change if you’re not already running under HTTPS is to make the move now. It’s now considered best practice to run your website under HTTPS for a number of reasons (including changes to Google Chrome highlighting all sites that don’t as insecure). It’s easier than ever to add to your site, with zero cost certificates from LetsEncrypt.

But that’s only part of the story – has your agency configured their servers to mitigate known issues with older versions of SSL and TLS? Modern web browsers don’t need older insecure versions of SSL to be enabled for people to use your site. Take the test at SSL Labs.

HTTP Response Headers

Less widely known than HTTPS, it is possible to further secure your site by sending appropriate HTTP response headers to requests made to your website. Security Headers is a great tool for checking your header security.

General configuration

Mozilla, the company behind the Firefox web browser, provide Observatory, an easy to use tool that checks a wide range of configuration settings.

Multi factor authentication

Two factor authentication (2FA) and multi factor authentication (MFA) are available on a wider range of services online than ever before. They work as an extra step in the process of verifying the identity of a user, with the aim to make an attacker’s life harder and reduce the risk of unauthorised access to your data. If your website CMS supports multi factor authentication, consider turning it on. It also reduces the opportunity for people to share their credentials further improving security.

DDoS mitigation

Distributed Denial of Service (DDoS) attacks are increasing annually. It’s easy to use Cloudflare to help protect your site from this type of attack, while also gaining the advantages that the content delivery network (CDN) element of their service provides. And with a free entry-level offering, there is no reason for even the smallest websites not to protect themselves.

Tip: If you move to Cloudflare consider changing your website IP address after the migration so the service cannot be bypassed by an attacker that knows the IP address of your web server.

Monitoring breaches

With data breaches making the news on an alarmingly regular basis, it’s never been easier to monitor any user associated with your domain by using Have I Been Pwned, where you can setup alerts to be emailed to you whenever an email is associated with a breach.

New acronyms to be aware of

Don’t know your XSS from your OWASP? There are a lot of acronyms used in the field of security. These two are worth considering on the back of a high-profile attack that included the Information Commissioners Office and parts of the NHS that resulted in the pages being used to mine crypto-currency for the attacker. It’s an attractive target for attackers as they only need to compromise a single service for a large gain.

Sub resource integrity

Simple to implement, sub resource integrity (SRI) allows you to create a hash of the code from a third party script that you are using to ensure it hasn’t been changed. If it has been changed then it will prevent the unexpected code from being executed on your site protecting it from attack. One thing to be aware of when implementing SRI is that the third party resource needs to be versioned so you know it shouldn’t change.

Content security policies

Taking protection a step further, you can implement a content security policy (CSP) for your website. As part of this you can set a directive to ensure no scripts can be loaded into a page without an SRI and more. A CSP requires some thought to implement, you can report violations without enforcing the policy as part of your preparations to implement a CSP. To assist with this you can use Report URI, which also provides useful ongoing monitoring and reporting functionality.

This is just the start. Web security is ever-evolving and we’re always discovering more ways to improve it. But if this checklist has highlighted some opportunities for you to improve, don’t wait until your next website launch. Often you can enhance your security without needing excessive development resource.