Skip to main content
CafeWebmaster

Main navigation

  • Tools
    • MD5 converter
    • SHA1 converter
    • Base64 encode
    • Base64 decode
    • HTML entities encode
    • HTML entities decode
    • Raw url encode
    • Raw url decode
    • UTF8 encode
    • UTF8 decode
    • Unix Time to Human Date converter
    • Remove duplicate lines
    • Sort text lines
    • Backwards - Mirrored Text
    • PiRaTe tExT
    • Your IP Address & Hostname
  • Forums
  • Free PHP Scripts
    • Image watermark with PHP
    • Page generation time with PHP
  • CSS
    • CSS hidden left menu
    • CSS horizontal menu
  • Free Fonts
  • Image Editors
  • Tutorials
    • Check password strength / safety with PHP and Regex
    • Cómo hacer que su sitio web popular!
    • How2 make a website popular
    • How2 secure your website
    • Kennwort Sicherheit mit PHP und Regex Prüfen
    • Page generation time and http-referrers with php
    • Redirect webpages with HTML, PHP, .htaccess, Java+Script, CGI-Perl, ASP.NET and ColdFusion
  • New
User account menu
  • Log in

Breadcrumb

  1. Home

How do I secure my web site?

By n8coder, 9 May, 2009
  1. Brute force dedection should be enabled.
  2. Cache directories should be secured.
  3. Captcha's should be enabled and required for anonym users to avoid spam.
  4. Code Injection should be prevented.
  5. Cookies should NOT be used to store passwords and sensitive data.
  6. CSRF should be prevented.
  7. Directory listing should be disabled.
  8. File Inclusion should be prevented. Use white-list/black-list and validation model.
  9. File uploads should be enabled just for authorized users.
  10. Firewall should be enabled.
  11. FTP Uploads for anonym users should be disabled.
  12. PHP system-shell functions(system, exec, dl, shell_exec,...) should be disabled.
  13. Register Globals for PHP should be set to off.
  14. Safe mode for PHP should be on.
  15. Sessions should be used for authentication.
  16. Session Fixation should be prevented.
  17. Session hijacking should be prevented.
  18. Source Code should be hidden.
  19. SQL Injection should be prevented. Use filters or install apache-modules like modsecurity or suhosin.
  20. Temp directory should be secured.
  21. XSS should be prevented.

Read this documents for detailed information: http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf http://www.owasp.org/index.php/Category:OWASP_Guide_Project

  • Log in to post comments

Anonymous (not verified)

14 years 4 months ago

use professional applications

use professional applications like drupal, joomla, wordpress, phpbb, vbulletin.

use secure frameworks like zend, symfony, cakephp etc...

seperate design and code, update your core system.

follow security news, bugs etc...

use hard passwords

secure your tool-directories like phpmyadmin etc

Anonymous (not verified)

14 years 4 months ago

Don't use PHP (important)

Don't use PHP (important)

aaa (not verified)

14 years 4 months ago

CAPTCHA is poor solution

Instead of bothering everyone with CAPTCHA you should implement something smarter.

Use bayesian filters and blacklists - there are open source projects with ready solutions. Or use Akismet/Defensio if you don't want to maintain one yourself.

For small sites there are tricks with CSS/JS that can replace CAPTCHA.

Anonymous (not verified)

14 years 3 months ago

sql injections

Amateur coders use mysql_query() and try to assemble SQL queries by hand. Quoting the parts is often forgotten, that's where the problem comes from.
Professional programmers use PARAMETERIZED SQL instead. See PDO and ? parameters.

"Filters and Apache modules" are not a solution. Obviously providing newbies with magic_quotes and other workarounds, hasn't exactly led to better understanding. As showcased here.

CafeWebmaster.com(CW) is a free online community for webdevelopers and beginners. Anybody can share their code, articles, tips, tutorials, code-examples or other webdesign related material on the site. Newbies can submit their questions and reply to existing questions. CW does not guarantee or warrant reliability of code, data and information published on the site. Use the site on your own risk. The site takes no responsibility of direct or indirect loss or any kind of harm to its users. The site also doesn't take responsibility of infected files or source code with any kind of infection or viruses, worms, spywares, malwares, trojan horses. CW reserves the right to edit, move, or delete any of content for any reason.