Securing Web Applications
Websites and Web applications has became a necessity in this world, From business, companies, education, collaboration, personal blogs, foods and groceries, health and medicine, social media platforms, accessing Government Services and Digital payments and even voting everything is available in the Internet. These days its has become common to get our daily works done via some button clicks on the screen and the common question “are website secure?”. The answer is mostly but not completely. Every legitNeimate website tries to provide at most security but no form of internet is completely, a 100% secure.
Website vs WebApp :
Websites are static HTML, CSS, with some JS files displayed according styling provided in CSS. Websites aren’t dynamic, they can’t submit forms, can’t generate pages dynamically and might be limited in other accepts too. Web Applications are the programs which can accept form submissions, generate pages dynamically, communicate with database to do CURD processes and more.
Some of the security tips for website owners generally are:
- Getting an SSL certificate
- Creating secure passwords
- Keeping backups
- Updating websites to latest releases
These are some of the general security principles followed be website owners with limited technical knowledge. These principles are good for those who just brought a domain and hosting, added wordpress with a nice theme. These people have no need to worry about server updates and security, no need to worry about how wordpress works all they care about is the content and sometimes speed. For these type of people the above steps are mostly enough, but for web applications we need some more things than for a website?
Let us look into something we need to care for while deploying their webapp’s.
- Never put Debug mode ON in production –
Many web frameworks like WordPress, Django, Larvel provide a development server which should be never used in production. Debug mode ON provides better error logs, with the availability of information such as variable names and line numbers from the source code for developers.
- Restrict Access to server and close unused ports –
Running our web app in cloud is very good option. Some of the good options are Digitalocean, google cloud, azure and AWS. When you rent for the virtual server limit the people who can access to the server. its better to use SSH to access the server. Always close unnecessary ports while running the server.
- Always update frameworks and application –
Updates are the best way to reduce bugs in our application. in the same manner updating the framework we used to build the application might be helpful but sometimes we have to rewrite the code for our application but if the update is long term it would be best to do it even we have to rewrite the code.
- Keep the Database secure –
Many times we miss that database is also the part of our application and its also necessary for us to keep our database secure. Always keep strong passwords, limit users who can have access to run native commands with the database. Its also very good to choose the database according to application need.
- DNS hosting –
DNS is the backbone of internet, its the phonebook for the internet. In simple word DNS is the protocol which converts human readable hostnames like geeksforgeeks.org to computer understanding numbers like 220.127.116.11. Its necessary for our web app to have better and widespread DNS like Cloudflare, cloud based DnS which reduces the lookup time to find our server IP and to connect to it.
- Limiting API usage –
Many of the webapp use external services which will be included using specially configured API’s for specific functions. Most of API providers limit the usage according to their plan and its also better for web app developers also to implement rate limiting of API’s according to need so that we don’t pay any extra.
- Bot and Spam –
Many web application also contain forms for allowing to subscribe email, or some other query form, Many bots these days have the ability to submit the plain forms. To protect its better to keep recaptcha with every form which will keep most of the bots out. Google provides recaptcha for free for basic usage.
- HTTP headers –
Most of the web application frameworks allow to send HTTP headers like HSTS, CSP, Referrer and Permission Policy, which helps the browser determine the sources and protocols it should allow to load styles, sources and media in turn hardening the security of webapps like upgrading to HTTPS, XSS protection and more.
These are some of the basic things to look out you look into more security features and policies by going into the documentation of the framework you were using to create the web app.