Top Ten Web Security Tips
By Michael Smith [email protected]
http://www.teratech.com 301-881-1440
All website are potentially vulnerable to hackers. Follow
these steps to make your site much more secure.
Code Security
Items marked (*) can be coded once in Application.cfm
1.
* Have an Error Handler
a.
Don’t display detailed error message – email error to admin
instead using CFERROR and CFMAIL. Don’t store error info in hidden form fields
– it can be viewed!
b.
Don’t give extra info in error messages – eg userid correct
but password wrong
2.
Prevent Cross-site scripting – URL and FORM variable
protection
a.
* Use URLEncrypt and Decrypt from www.cflib.org
b.
Checksum hidden FORM fields to prevent them from being
changed.
3.
* Scan and remove dangerous characters from URL/FORM
()<>/|
4.
* Prevent Fake form submits – check referrer CGI.
HTTP_REFERER in same domain
a.
* Use CGI. CF_TEMPLATE_PATH to control what is run – eg
included files
5.
Prevent Viewing other users data by changing URL or FORM
parameters - checksum
6.
Validate all URL and FORM input – use CFPARAM to check data type and
required fields, use CFQUERYPARAM for all CF variables in SQL.
7.
Use Server side validation to back up client side
validation (_ field name, CFFORM, JavaScript) because client side validation
can be disabled by user.
8.
Logon – require hard passwords, timeout after 3
failures. Store hashed password instead of plain text in database.
9.
* Timeout client and session – roll your own timeout.
Protect Back button.
10.
Protect use of CFFILE uploads and CFCONTENT file
display – hacker can upload dangerous CFM files or view your source code.
Server Security
- Install
latest patches for Windows, IIS and CF
- Remove
software that is not used
- Remove
unused accounts
- Protect
with firewall
- Use
hard to guess long passwords with numbers in
- Monitor
your logs
What Security Means
- Security
is hard because a hacker only needs one window to be open to get in while
you must close all the holes. Assume bad things will happen and code for
them.
- Security
is a way of thinking – “How can they get in to this page?”
- More
knowledge is power - don’t keep security tips secret!
Next Steps